A friend of mine, Tristan Burch, encountered this issue today. It is present in all browsers and has been closed as invalid in firefox.

The browser’s HTML parser doesn’t know anything about JavaScript, so it interprets the closing script tag within the string. The above snippet results in an XSS vulnerability.

The lesson here, is that it is dangerous if you place user submitted values directly into a JavaScript string. Developers should take care to always escape “<” and “>” and “&” when generating pages on the server side.

The correct html should be:

After all the advancements there have been in browsers its surprising to still run into these kinds of things.

Web Security… It’s almost an oxymoron. Security for the web has always been a long and difficult battle, often a losing one. With this segment on web security, I am focusing specifically on development techniques that you can apply to your web applications to make them more secure. I really want to concentrate on making security easy, for both the end-user and the developer alike. Who said security has to be hard?

This is a multipart segment that will cover:

1. XSS (Cross Site Scripting) Attacks
2. CSRF (Cross Site Request Forgery) Attacks
3. SQL Injection Attacks
4. JSON Hijacking

Continue reading