Protecting against the risk of XSS attacks in user-generated content

Posted on June 17, 2010

Web 2.0 means different things according to who you speak to, but one ubiquitous part of the definition is User Created Content (UCC). UCC essentially means giving the tools to create html on your website to someone other than the webmaster. And as soon as you give the keys to the castle to the great unwashed, then the great unwashed are going to try to crap in the moat.

Typically in blogs or discussion boards you will see a form that will allow people to post their comments, which will then be displayed on the page, below the main article. Sometimes you will want people to insert links into their comments, which immediately opens up potential Cross Site Scripting (XSS) vulnerabilities, usually in the form on inline javascript. XSS attacks are usually based around attaching javascript onto an html tag, so that when the visitor clicks on the link, it does something expected. For example redirects them to a phishing site, steals their cookies, or opens a load of pop-up windows.

A very crude attack would go something like this:

<a href="http://www.google.com" onclick="window.open('http://www.yahoo.com', '_self'); return false;">Click me</a>

Defending against this can be very problematic unless you strip out all tags… However there are a number of libraries that should help , foremost amongst them is HTML Purifier. As an alternative you can allow the use of BBCode to be inserted. BBCode is a simplified markup that lets you insert a basic tag like syntax that is parsed on the server into html tags. TinyMCE has plugin to enable the easy use of BBCodes, so it may be that for applications that let the general public create content, this is the safest route.

Posted in Web Development | Comments Off on Protecting against the risk of XSS attacks in user-generated content

Are the new Macmini’s value for money?

Posted on June 17, 2010

Apple have just updated the Macmini, by essentially putting the new MacBook guts into it. But does buying one make any sense?

I’ve never quite understood the Macmini, it’s rather a curate’s egg. What you are buying is a basically a laptop, but without a screen, keyboard, mouse or battery. By the time you have added a decent keyboard, mouse and screen, you’ll have spent as much as the base iMac, more than the cheapest MacBook, and with neither the beauty or portability of either. Some may argue that it’s the cheapest way to get the Mac experience, but at over £600 it’s not a very appealing solution to Windows switchers or the Mac faithful.

The only configuration that makes any sense to me is the Macmini with Snow Leopard Server. For small businesses looking for a small, quiet and RAID protected server, it makes a great deal of sense. If you added an external RAID array, like a Drobo, into the mix it would make a very inexpensive Mac OS X server solution for small to medium size design agencies.

But for consumers I find it very hard to recommend it to a customer without feeling like a complete fraud…

Posted in Apple | Tagged , | Comments Off on Are the new Macmini’s value for money?

Should I install anti-virus software on my Mac?

Posted on June 15, 2010

I’ve lost count of the times I’ve been asked this question, especially from Windows users switching to the Mac. There’s a short answer. Probably. I tend to scan anything I download prior to installing it and anything Office documents I get.

Whilst OS X has very very few security threats that are currently being exploited, unlike Windows which has tens of thousands, that doesn’t mean to say that you should be cautious. I know at least two of my clients who had bizarre slowness uses the Internet, which turned out to be cases of DNS Changer.

Most security exploits on the Mac come from people installing software that has had Trojans added to the payload. Often they originate in dodgy software they’ve blagged off the internet, or from strange video codecs they’ve installed to watch online video. So follow a few simple rules.

  1. Only trust software that you know exactly where it has come from.
  2. Assume that any attachments sent via are suspicious
  3. If you don’t need it, don’t install it.
  4. Dodgy software your mate gave you is all well and good, but don’t trust it.

Should I buy anti-virus software for my Mac?

God no! If anyone tries to sell you Intego VirusBarrier, Norton Internet Security or Sophos Anti-virus they probably just want your money, rather than what’s best for you. ClamAV for OS X is free, stable and unobtrusive. Just put it in your Dock and drag anything suspicious onto it to initiate a scan. Just make sure you keep the virus definitions up to date.

I run Parallels or VMWare Fusion on my Mac – should I use anti-virus software?

You should very definitely have it installed in the Virtual machine if you care about the data in it, but it poses little threat to you Mac unless you setup shared folders. If the Virtual machine can access folders on your Mac, then that data is vulnerable, so be doubly cautious if this sounds like you.

Posted in Security | Comments Off on Should I install anti-virus software on my Mac?

NetBeans helps web developers make better websites, more productively and less expensively

Posted on June 14, 2010

So you’ve probably heard of Dreamweaver and you might think it’s the best tool for producing websites, and in many respects it’s great. The multi-line search and replace is almost worth the price along. But if you’re doing serious coding in a language other than HTML and CSS, it really sucks quite badly. Why? Simply put, Dreamweaver’s code-completion in JavaScript and PHP is pretty non-existant. Why does this matter? Code-completion means the developer spends less time wondering what the hell a particular Method is named in a Class, and just get on with the important bit of thinking what he want’s the code to do. If you’re writing your own custom Classes, NetBeans has excellent support for PHPDocumenter, so as long as you make sure to document your Methods correctly, you can just pull up a nice list of all the Methods an object supports, with all the arguments nicely explained on the Method.

It also integrated nicely with XDebug, so you can do proper line by line debugging, rather than just echoing statements back to the screen, proper project support, the ability to define time-saving macros, plus excellent HTML and CSS code completion tools as well. And in my experience it’s much much quicker compared to Eclipse based tools like Zend Studio or PDT. It’s the closest I’ve found to Microsoft’s Visual Studio IDE that runs on the LAMP development stack.

So why should a little ol’ Web Developer near Bath need such things? Why not stick with Dreamweaver? Well, it’s free, it’s cross-platform and it lets me create Web-sites more quickly and easily for my clients. And they like cheap, effective web sites.

Posted in Web Development | Comments Off on NetBeans helps web developers make better websites, more productively and less expensively

Safari Tab Expose Add-on is evil

Posted on June 11, 2010

I happen to love Extensions in Firefox, they add so many great features. However I’ve never felt any inclination to add extensions to Safari. That inclination was proved sound a few days ago, when a client in Shepton Mallet has a problem with their Mac Safari. For some reason the Toolbar kept disappearing, leaving here unable to search Google or even type an address into the address bar. You could even get the customise toolbar menu to work.

Nuking Preferences temporarily solved it, but shortly after it came back. It was only after I noticed that she had Tab-Expose installed that the penny dropped. After removing it everything behaved as expected.

So the lesson is, when Safari is playing silly buggers, disable Add-ons.

Posted in Troubleshooting | Tagged , , | Comments Off on Safari Tab Expose Add-on is evil