Gmail accounts ‘wide open to exploit’ through XSS (presumably in the form of an email).

Chris has a good explaination on XSS Self Defence.

While on the subject; was glancing at a PHP book called “PHP 4 Programming for Advanced Web Developers” – you thankfully won’t find in the bookstores (electronic only for a limited online bookstore). Here’s a quote;

You can validate the form data by using client-side scripting languages, such as JavaScript or VBScript, […], or send the form data to a verification script.

That suggests client side validation is good enough (and makes me want to scream). Think there needs to a place to report misinformation as well as application security holes.


  • Ren

    Just wish there was mose support for HttpOnly cookies. (Both in non IE browsers, and PHP)

    http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp

  • jon
  • Chris Shiflett

    Thanks for the link, Harry. There’s also a plain HTML version available on my Web site that some people might prefer:

    http://shiflett.org/articles/foiling-cross-site-attacks

    Do you have any details about the vulnerability? I know the original announcement was purposely vague, but I presume things have been fixed by now.

    Someone recently sent me a description of a supposed Gmail vulnerability, wanting me to determine whether their findings were valid. I was able to access their account, which was more than they had expected. However, the attack required me to access a URL that should only really be known by the user, and I never had a chance to look into it more. I think details about this recent attack might give me some more perspective about what Google is doing on the server side.

Special Offer
Free course!

Git into it! Bonus course Introduction to Git is yours when you take up a free 14 day SitePoint Premium trial.