Via Brad Neuberg: RSnake’s XSS (Cross Site Scripting) Cheatsheet: Esp: for filter evasion.

Limitations on cross site scripting (XSS hereafter) have been troubling me as I try to write enhancements to our library catalog, but the reasons for the prohibition are sound. Without them I could snort your browser cookies (RSnake lists: “cookie/credential stealing/replay/session riding” among the threats, but a well-planned attack could also fetch resources from internal webservers and deliver them to external data thieves).
It turns out you can insert JavaScript in <img> tags (among many, many others) and obfuscate it with Unicode, hex, and other less-readable encodings or by inserting tab characters (“&#x09;”) or newlines (“&#x0A;”). It would be impossible for me to list every possible attack vector, but RSnake takes a good stab at it.

If you allow users to insert HTML in comments, you should be aware of this….

tags: browser threats, cheatsheet, cross site javascript, cross site scripting, filter evasion, internet threats, javascript, scripting, threat, threats, web, web browser, xss

The Flock preview is out and I love it. The good folks at WordPress.com are saying “it’s like Firefox with goodies.” I’m saying it’s a browser built for Web 2.0.

tags: web2.0, browser, firefox, flock, goodies, web 2.0, web 20, web browser, web20

Bookmarklets are interesting little bits of JavaScript stored as bookmarks. They’ve been around since about 1998 (earlier?), but I’ve never bothered to write one.

Here are a few examples:

• This sort of creates a bookmark
• Alexa Snapshot
• Wayback

tags: bookmark, bookmarklet, browser, javascript, web, web browser

The developers describe Flock as

[T]he world’s most innovative social browsing experience. We call it the two-way web.

Which is a good enough sales pitch to make me try the free demo, but it’s all still a private beta. Perhaps they’re trying to prove the point that nothing builds buzz better than unavailability. Osakasteve gushes:

A browser that is designed around social software like blogs and flickr

And Roland Tanglao overflowed:

I was blown away! Drag and drop blogging – drag text from a blog post and it automatically creates a cite tag with a link to the original post and the quoted text is indented using a blockquote tag. Drag and drop Flickr photos. And Chris teased me with some more future features like having del.icio.us as your bookmarks (goodbye to useless local bookmarks).

Extra: it’s based on Firefox and will fully love Mac, Win, and Linux. Interesting ideas…where’s my beta invite?

tags: blogging, blogs, drag and drop, firefox, flickr, flock, mac win linux, private beta, sales pitch, social bookmarking, social bookmarks, social browser, social browsing, social networking, social software, social web browser, web browser