Security XSS
Posted By mark @ 6:23pm, Saturday 16 January 2010
XSS - Cross Site Scripting
1. What is XSS? XSS commonly targets scripts embedded in a web page which are executed by the user's browser. The scripts can be manipluated to execute in a manner desired by a malicious user and can be executed every time a page is loaded.
2. XSS may result in identity theft, altering browser functionality, accessing sensitive or restricted information.
3. XSS examples hacker
4. XSS Prevention - Users Be aware of the url in your address bar.
5. XSS Prevention - Site Developers Be stringent in the validation of user's form input.
Javascript Coding Standards
Posted By mark @ 1:24pm, Saturday 1 November 2008
Maintaining javscript code is made easier if coding standards are in place from the start. The use of comments and white space, to explain the code, is encouraged. The comments and white space can be stripped out prior to placing the code on the internet - this will optimize the file size and increase performance. The following is a summary of the javascript coding standards used by wbweb ltd.
Coding Standards
1. General Use an indent of at least 2 spaces. Variables to be defined at either the start of the code or function, and make use of 'var'. Use ';' at the end of code statements, with the exception of 'for', 'function', 'if', 'switch', 'try' and 'while'.
2. Naming Conventions - CamelCasing The first letter of each function or variiable should be lowercase while the first letter of subsequent words should be capitalised eg
var javaScript;
3. String Concatenation Use a space between the '+' and '+=' and the concatenated parts eg
var string = 'wbweb' + 'ltd';
4. Control Structure These include 'for', 'if', 'switch', 'try' and 'while'. Use curly braces at all times, even when they are technically opitional eg
if ((condition1) || (condition2)) {
action1;
else {
action2;
}
5. Function Calls Functions should be called with no spaces between the function name and the opening parenthesis and the first parameter. Parameters should be separated by ', ' with the execption of the last parameter. eg
var result = wbweb(parameter1, parameter2);
6. Comments Are encouraged. Either single line comment, preceeded by '//' or multi line comments enclosed by '/*' and '*/' .
7. 'With' statement The 'with' statement provides a short hand method to object references eg
with (document.forms[0]) {
x = elements[0].value;
y = elements[1].value;
}
However, it is unclear which variable will be modified. Instead, the above example should be rewritten as follows
var o = document.forms[0];
o.x = elements[0].value;
o.y = elements[1].value;
8. 'eval' statement Avoid. 'eval' provides access to the JavaScript compiler. This is sometimes necessary however the overheads far outweigh the benefits.
9. 'Javascript External Files' Javascript code should be placed in an external file where possible. This allows the code to be easily used used on multiple web pages and provides the option for compression.