...ly, you're open to man in the middle attacks.) It is slightly easier to do XSS attack against token based authentication (i.e. if I'm able to run an injected script on your site, I can steal your token; however, cookie based authentication is not a silver bullet either - while cookies marked as http...

... Downvoting until the XSS bug in this code is fixed. – spookylukey Nov 20 '14 at 14:47 1 ...

... @Toskan: Also, make sure that your webapp is not sensitive to XSS attacks. I.e. do not redisplay any user-controlled input in unescaped form. XSS put doors open to ways to collect session IDs of all endusers. See also What is the general concept behind XSS? – Balus...

... when writing strings that haven't been encoded to HTML output (because of XSS). In other contexts different sub-strings are dangerous, for example, if you write an user-provided URL into a link, the sub-string "javascript:" may be dangerous. The single quote character on the other hand is dangerous...

...ilter input, escape output (cookie, session data are your input too) Avoid XSS (keep your HTML well formed, take a look at PHPTAL or HTMLPurifier) Defense in depth Do not expose data There is a tiny but good book on this topic: Essential PHP Security by Chris Shiflett. Essential PHP Security http...

...ample: http://jsfiddle.net/k65s3/ Input: Entity: Bad attempt at XSS:<script>alert('new\nline?')</script><br> Output: Entity: Bad attempt at XSS:<script>alert('new\nline?')</script><br> ...

...ated. Because the security mechanism is written in JS, I'm pretty sure is xss related. – rook Jul 17 '10 at 5:59 ...

...screenshot of an element, even if the origin-clean FLAG is set (to prevent XSS), that´s why you can even capture for example Google Maps (in my case). I wrote a universal function to get a screenshot. The only thing you need in addition is the html2canvas library (https://html2canvas.hertzen.com/)....

...lf from a malicious parent. From an attack perspective this is more like XSS (cross-site scripting) than UI-Redress. You are giving Google access to your website and they could hijack your users' cookie's or perform XmlHttpRequests against your website if they so choose (but then people would sue...

... Heh, play with the thread stack size. java -Xss100k allowed me to create 19702 threads in Linux. – Steve K Apr 18 '09 at 17:40 21 ...