By Harry Fuecks

Guess everyone makes mistakes

By Harry Fuecks

Gmail accounts ‘wide open to exploit’ through XSS (presumably in the form of an email).

Chris has a good explaination on XSS Self Defence.

While on the subject; was glancing at a PHP book called “PHP 4 Programming for Advanced Web Developers” – you thankfully won’t find in the bookstores (electronic only for a limited online bookstore). Here’s a quote;

You can validate the form data by using client-side scripting languages, such as JavaScript or VBScript, […], or send the form data to a verification script.

That suggests client side validation is good enough (and makes me want to scream). Think there needs to a place to report misinformation as well as application security holes.

  • Ren

    Just wish there was mose support for HttpOnly cookies. (Both in non IE browsers, and PHP)

  • jon
  • Chris Shiflett

    Thanks for the link, Harry. There’s also a plain HTML version available on my Web site that some people might prefer:

    Do you have any details about the vulnerability? I know the original announcement was purposely vague, but I presume things have been fixed by now.

    Someone recently sent me a description of a supposed Gmail vulnerability, wanting me to determine whether their findings were valid. I was able to access their account, which was more than they had expected. However, the attack required me to access a URL that should only really be known by the user, and I never had a chance to look into it more. I think details about this recent attack might give me some more perspective about what Google is doing on the server side.

Get the latest in Front-end, once a week, for free.