Wednesday, July 20, 2011

Javascript XSS Attack

Reminder for javascript XSS Attack

For example

var name = "<%= UserInput %>";

If there is a post which submit the username with
" ;alert(document.cookie);//

then this will trigger XSS Attack.

There is simple fix which I have added inside String Extension (available for Support R5)
var currentUsername = "<%= Encoder.JavascriptEncode(UserInput) %>";

Hopefully this post can be a reminder for all of us to protect our site.

No comments: