Today, I saw a funny comment on a website:
<script> alert('0wn3d by X - X') </script>
<meta HTTP-EQUIV=Refresh CONTENT="0; URL=Some URL">In case you don’t know about these types of attacks, an attacker will write this comment on a blog (or any sort of web application) and if the application doesn’t escape it before displaying it, this code will display an alert box and then redirects your visitors to whatever the URL is right away.
So again, if I visit this page, I see the alert box and will be redirected to another page on the Internet.
To prevent this, you will have to escape all user generated content before displaying them on your pages, in PHP:
function html_escape($str) { return htmlentities($str, ENT_QUOTES, 'utf-8'); }
In Python:
import cgi # ... def escape_html(value) return cgi.escape(value, True)
These types of attacks are called Cross-Site Scripting or XSS:
http://en.wikipedia.org/wiki/Cross-site_scripting
Good Luck 
No Comments 
Leave a comment
Back To Top
Back To Previous Page
Author Bio
Hamid Alipour is a partner in Codehead, LLP with his wife, Tess. Hamid speaks 12 markup and programming languages [Yes, 12: PHP, CSS, Ajax, JavaScript, HTML/XHTML, Java, Python, C/C++, ASP, Visual Basic, Scheme and Action Script]; has a penchant for solving the unsolvable; an affinity for clean, hand-written code and is a Zend Certified 
Services
Blog
Tools
About
Contact
Blog Home