April 22, 2009 - 17:28 CEST
"That does not mean, however, that blocking < and > when ouputting user data in javascript isn't necessary", David said.
[...]
[...]
March 16, 2007 - 10:15 CET
I was looking through my log and found a referer entry where somone had searched google with the search term "javascript+validation+to+avoid+SQL+injection". It seems some developers still don't understand that trying to lock up an application on the client side using javascript is impossible. It is like trying to avoid burglaries to your home by locking the doors to the homes of every thief around.
[...]
[...]
July 6, 2006 - 10:38 CEST
You may sometimes need to unescape HTML escaped strings in javascript. I found a neat trick to do this using the browser internal escaping.
[...]
[...]
May 8, 2006 - 19:04 CEST
For some pages you may want to add special effects to elements on the page. As an example, consider a WYSIWYG web page editor. In a this kind of editor, you may want to hide the editing capabilities of the different page elements, but show them when the user moves selectes the element for editing. An example web page can be found at the bottom of this entry.
[...]
[...]
About Erlend
I'm a senior consultant at Bekk Consulting AS.
This blog is about software development, with a special focus on security.
Follow me on twitter
Latest posts
Tag cloud
Categories
Blogroll
Honeynor
BEKK Open
movito
Vidar's musings
Aslak Hellesøy
Geekbeing's rants
Jeremiah Grossman
RSnake
Mike Andrews
Schneier on security
Michael Sutton's blog
Network security blog
On code development
Change is nothing, everything is
leif
hamang.net
Andreas' code blog
The Dilbert Blog
Pearls before swine
BEKK Open
movito
Vidar's musings
Aslak Hellesøy
Geekbeing's rants
Jeremiah Grossman
RSnake
Mike Andrews
Schneier on security
Michael Sutton's blog
Network security blog
On code development
Change is nothing, everything is
leif
hamang.net
Andreas' code blog
The Dilbert Blog
Pearls before swine
