Nice... I just want to say that there is a tutoriel in french about cross site scripting : http://balteam.multimania.com/Tuts/css.txt . If you have additions or advices, please send them to me... Thx :) >From: "- phinegeek -" <phineat_private> >To: vuln-devat_private >Subject: CSS, CSS & let me give you some more CSS >Date: Tue, 29 Jan 2002 00:31:21 -0800 > >A little while back I posted some info on a CSS bug I found on ebay, >http://securityfocus.com/archive/82/246275. >Just about every site(not joking) you go to has this type of vulnerability, >its nothing new. Luckily, CSS vulns are very easy to fix, after they are >discovered. >However, you shouldn't have to wait until your site is prefixed with "Cross >Site Scripting" on a Bugtraq posting. These types of errors, as well as >many other similar(but less threatening) types are the product of careless >programming practices. >All you need is a method(call it SecureHTML()) that you run all your input >through, before it gets displayed back to the user. This method would be >used throughout your site in a modularized fashion. >Isn't this how we should be doing it anyway??? >This simple principle can also be used for input that becomes part of an >SQL statement(call it SecureSQL()) to guard against sql injection. >Just modularize your code folks and make sure all your developers use the >methods when dealing with input. >Its really that simple. >This is also not new, I guess you could call it prevention? > >and heres some fun.. alot of Security issues =] > >Security Focus: >http://securityfocus.com/ >(copy and paste the text below in the search box just like it is) >CSS OR "><SCRIPT><!-- ..tsk tsk tsk.. --></SCRIPT>" > >Digital Security: >http://www.eeye.com/html/forms/recommend.html?u=eeye.com/