http://ask.metafilter.com/tags/csrf Questions tagged with 'csrf' at Ask MetaFilter. Wed, 20 Jun 2007 19:00:35 -0800 Wed, 20 Jun 2007 19:00:35 -0800 en-us http://blogs.law.harvard.edu/tech/rss 60 http://ask.metafilter.com/65257/Attacking%2Dmy%2DURL How do I prevent hackers from embedding scripts into my site's incoming urls. For example, a hacker can easily create a link like <a href="http://www.propmart.com/search/pm_IdSearch.asp?txtPropertyId=%22%3E%3Cscript%3Ealert%28%27xss%27%29;%3C/script%3E%3Cspan%20style=%22 ">link with javascript</a> to ultimately grab users cookies. How do I prevent this from happening. Can I use javascript to prevent this, or is this something that need to be prevented on the server end? tag:ask.metafilter.com,2007:site.65257 Wed, 20 Jun 2007 19:00:35 -0800 csrf hacking javascript xss kaizen http://ask.metafilter.com/63202/KrisKross%2DSite%2DScripting Help explain how a hacker could perform a XSS exploit. This <a href='http://ez.no/community/articles/dangers_of_csrf_and_xss/xss_attacks'>article</a> explains how a bad-guy could send a malicious query through an unvalidated searchbox and essentially modify the html on the search results page. What I don't understand is how the hacker could have this malicious code display on a page that I am browsing. Except for unvalidated forum posts, how can a hacker inject malicious code into a webpage. If I ensure that my forum posts don't allow HTML and I am not loading external js files, what do I have to worry about? tag:ask.metafilter.com,2007:site.63202 Tue, 22 May 2007 18:01:03 -0800 cross-site csrf css scripting kaizen