The process of stripping/changing/modifying user input so that it avoids attacks like XSS is cooking. There are many ways to do it. One way is to strip off every input that the user provides. Let it be tags like <script> or <img> . The quotes are also removed so that javascript errors are avoided.
The other way would be to take in what ever input the user provides and store it as it is in the database. The only place you would cook it would be in the UI. Escape/change what ever stuff you feel would cause your app to succumb to XSS and then display. This, I feel, is the right way to do it.
Many applications that you see now may also have a JSON part to it. It might also be the case that the application is accessed by many other applications and these apps use the data. Not cooking this data is kinda buggy and cooking it defeats the purpose if this data is shown in a simple textarea. So I would rather let javascript cook this using the functions available.
update: The buzz has a problem with this. My blog title is << Dinks >> and look how it came up in buzz ..
update: The buzz has a problem with this. My blog title is << Dinks >> and look how it came up in buzz ..
No comments:
Post a Comment