How do I prevent hackers from embedding scripts into my site's incoming urls. For example, a hacker can easily create a link like link with javascript to ultimately grab users cookies. How do I prevent this from happening. Can I use javascript to prevent this, or is this something that need to be prevented on the server end?
posted by kaizen on Jun 20, 2007 - 10 answers

Help explain how a hacker could perform a XSS exploit. This article explains how a bad-guy could send a malicious query through an unvalidated searchbox and essentially modify the html on the search results page. What I don't understand is how the hacker could have this malicious code display on a page that I am browsing. Except for unvalidated forum posts, how can a hacker inject malicious code into a webpage. If I ensure that my forum posts don't allow HTML and I am not loading external js files, what do I have to worry about?
posted by kaizen on May 22, 2007 - 6 answers