Jordan's Profile

Bickering aside, I think the technical details that Stefan points out are important. I might temper them a bit with the fact that it's a combination of CSRF and the violation of the same domain policy that makes the attack interesting. If it's not CSRF, then you're not going to get useful data back from your script request, and because you can subvert the javascript object creation, then you get access to the useful data. The really interesting vulnerabilities are in cases where both are an issue.

And in fact, there are two distinct sets of fixes to the problem for that reason. The first class depends on getting the server to not send data back to the client because you can tell it wasn't from your legitimate application (via cookie value on the url, or whatever similar method), and the others depend on helping the browser do the right thing and keep the same domain policy intact (prefixing JSON data with comment characters, for example).

Posted in /blog/2007/apr/javascript-hijacking.

Sat, 07 Apr 2007 at 14:02:18: Link

Mod down! :-P There is little to no reason for email address links to be posted in blog comments.

@Edward: See my original comment -- I wasn't suggesting it for all comments, but it does seem appropriate for the personal profile page where I was trying to use it, doesn't it?

http://shiflett.org/community/members/jordan

Posted in /blog/2007/mar/allowing-html-and-preventing-xss.

Thu, 15 Mar 2007 at 19:25:42: Link

Also -- looks like mailto links are currently broken (see my profile page). Intentional or one of those features you're working on but isn't currently allowed by the pattern matching?

Posted in /blog/2007/mar/allowing-html-and-preventing-xss.

Wed, 14 Mar 2007 at 01:49:59: Link

I have this sneaking suspicious you just wanted to show off your exclamation alert and the pull-quote element.

Of course, if I had such well designed elements on my blog I'd be tempted to throw them in randomly as well. ;-)

Posted in /blog/2007/mar/allowing-html-and-preventing-xss.

Wed, 14 Mar 2007 at 01:45:07: Link