[callumacrae]

That's the difference between .text and .html, yes ;-)

[TheMaster]

Wait so, don't XSS and SQL work on the same concept of unescaped quotes, or am I completely misunderstanding XSS?

[Kyek]

XSS generally (but not always) works because of < and > not being changed into HTML entities. But it's not just plugging things into HTML. The best ones take advantage of exec() calls in the JavaScript, for example. Or by overriding AJAX URLs.

[@Tom]

Hey kyek, you should write a tutorial on protecting yourself from xss specifically for node.js apps.

[soulcyon]

Hacking web servers 101 by Kyek, me likey

[@Tom]

soulcyon, on 08 July 2012 - 09:27 PM, said:

Hacking web servers 101 by Kyek, me likey

Mine said PROTECTING against

[callumacrae]

itom07, on 08 July 2012 - 08:24 PM, said:

Hey kyek, you should write a tutorial on protecting yourself from xss specifically for node.js apps.

http://lynxphp.com/s...site-scripting/

[@Tom]

Not a bad read callum, could you post a node version. Instead of in php

[Cyril]

itom07, on 13 July 2012 - 12:40 PM, said:

Not a bad read callum, could you post a node version. Instead of in php

You should probably learn JS properly if you don't understand how to implement that

I'm also referring to all your questions in the Node/JS forum. You seem to ask some pretty basic JS questions (even stuff like syntax) -- it's a much better idea for you to properly learn JavaScript in the first place, before taking on more advanced stuff.

[callumacrae]

itom07, on 13 July 2012 - 12:40 PM, said:

Not a bad read callum, could you post a node version. Instead of in php

http://phpjs.org/fun.../strip_tags:535

[@Tom]

Cyril, on 13 July 2012 - 01:00 PM, said:

You should probably learn JS properly if you don't understand how to implement that

I'm also referring to all your questions in the Node/JS forum. You seem to ask some pretty basic JS questions (even stuff like syntax) -- it's a much better idea for you to properly learn JavaScript in the first place, before taking on more advanced stuff.

I'm pretty sure you deserve like three -1's for that answer. Isn't this forum for learning? And I was referring to a script tag alternative.

I do not regret a single one of my questions because I've gone from understanding zero js to learning a pretty fair amount to then making my own node app. True a lot of my questions are quite basic but for what I'm using them for better to have a completely explained basic example and them adapt a more sophisticated version for my use.

On a third note there are times when I wish people would have asked questions because then I can learn from their answers. I'm sure there are new people to this forum who want to see easy questions as opposed to entirely years of experience type questions. Not everyone who joins has been coding for years.

[callumacrae]

itom07, on 13 July 2012 - 02:26 PM, said:

I'm pretty sure you deserve like three -1's for that answer. Isn't this forum for learning? And I was referring to a script tag alternative.

His point being that there were two lines of PHP-specific stuff, and it wasn't complicated PHP. This is a place for learning, but it certainly isn't a replacement for Google / MDN ;-)

[@Tom]

callumacrae, on 13 July 2012 - 02:30 PM, said:

His point being that there were two lines of PHP-specific stuff, and it wasn't complicated PHP. This is a place for learning, but it certainly isn't a replacement for Google / MDN ;-)

Your correct and maybe I should have googled it but since I had the opportunity to directly ask the author, I took advantage of it.

[Kyek]

It's no biggie I think what Cyril was getting at was that it's more important to understand the concept than it is to know how to get around it for one specific language. And he's right -- because XSS, while it sounds big and scary, is 100% resolved by doing two things, no matter what language you're working with:

• Replace < and > with

  <

  and

  >

  
  
• Never ever parse and execute user-submitted content.

So at that point, the question goes from "How can I block XSS in Javascript?" to "what's the best way to do string replacement?" and maybe "How can I rewrite this so I'm not eval()ing user-submitted data?" And those two questions are way easy to answer here.

[@Tom]

I'm sorry Cyril that I snapped at you, you no longer deserve a -3 but a +1/2. Frankly the responses here are much clearer than on a lot of sites. (yes even yours )