Showing posts with label bbcode. Show all posts
Showing posts with label bbcode. Show all posts
Sunday, September 26, 2010
BBCode won't protect you from XSS
Cross site scripting (XSS or HTML injection) is a vulnerability class that allows an attacker to enter malicious HTML code into your document. Usually that's a Javascript code for e.g. stealing the cookies or self spreading worm used for social networking sites. All the big sites (Facebook, Twitter, Myspace, Wikipedia to name the few) have had an XSS hole in the past. What that can teach us is that XSS protection is usually done wrong. Developers invent yet-another-perfect XSS filters, WAFs update their signatures, even the browsers feature XSS protection nowadays. And still, most of them fail.
One of the wrong ways to protect from XSS is to use BBCode. Today I encountered(削除) yet another blog post (削除ここまで) (update: post deleted by author, see comment #1) claiming that author used a BBCode implementation so that "The code is encoded and perfectly safe and resilient to possible XSS attacks". I just just had to put that to a test. Read on to find out how "perfect" was the code and what is wrong with using BBCode for XSS protection.
One of the wrong ways to protect from XSS is to use BBCode. Today I encountered
Subscribe to:
Comments (Atom)