Computer Security - Cross Site Scripting

One of the most common security flaws today is known as "cross site scripting" or "XSS."
It is an old problem and one that has plagued some of the biggest sites on the internet.


I noticed an XSS vulnerability in the search box of Walgreens about a year ago just because I was searching for M&Ms.


Here's a fun story about a cross site scripting exploit on MySpace:

XSS vulnerabilities are mostly easy to eliminate, but they also can be very dangerous.
In order to understand how they work, we first need to understand how HTML works.
H.T.M.L stands for HyperText Markup Language and it's the language of the web.
HTML is a language which describes how the page is laid out. It doesn't dictate logic or arithmetic. That is reserved, on the web, for a real programming language, Javascript.

Javascript code can be put right into the middle of an HTML page like so...
<script> runSomeJavascriptCode(); </script>

As an example, think about a steemit post.
The words you post end up in the feeds of other people.
Imagine that instead of regular text, you posted the following:
<script> JavascriptCodeToUpvoteAndResteemPost(); </script>
or
<div onload="JavascriptCodeToUpvoteAndResteemPost();"></div>

In this scenario, your followers would open up your post and their web-browsers (which potentially have privileged access to your keys...) could do very bad things or at least make them automatically upvote and resteem your post.

Fixes...

The most common approach is to "escape" the "<" and ">" characters so that the script tag is not interpreted as a tag but rather as actual content text in the webpage.

This usually works, but sometimes you need more intricate solutions...like for steemit.
Steemit can't choose this route because it needs to allow certain html tags for posts.
Instead (I think) it strips out script tags as well as any and all html attributes.

For more information on how to fix: