Door Number Three!

I'm working with a variant of XSS-countermeasure 3 from my earlier post. I still sanitise comments (though there are some holes in the current implementation), but I won't bother with the posts or templates. Yes, the owner of a blog will be able to steal your cookie. I've just set things up so that the cookie isn't any good to him.

Which means (yay!) users can Ajax all they want* and (yay!!) I don't have an arms race with people trying to work around my sanitiser script. (Well, again, maybe in comments, but all that happens then is the comments get deleted by the bloggers.)

Which leaves just one component of the system that isn't a variation on something I've done before - trust metrics. Fortunately, while there doesn't seem to be a whole lot of stuff written about how to prevent XSS attacks (or at least, not much useful stuff**), I trip over interesting stuff on trust metrics everywhere.

* Minx is Ajax-agnostic. A page is a page; a request is a request. HTML vs. XML is just a difference in the template. And since the Minx user interface is built in Minx, this gives me a fair bit of flexibility.

** A lot of the advice consists of "Sanitise your pages really carefully. Bob didn't pay enough attention to his sanitiser script, and his company lost $50 million. Bob now washes windscreens for a living." The one worthwhile thing that I've seen come up is the first commandment of computer security: Default deny.

Posted by: Pixy Misa at 05:06 AM | Comments (1) | Add Comment | Trackbacks (Suck)
Post contains 261 words, total size 2 kb.