Category: developers journal

What happens if you output unescaped user input?

Author: seven April 22, 2008

If you build a webapp targeted for small and friendly crowd – usually nothing. But when you build a website for American presidential candidate… Uh well, it smells like XSS. This weekend, Barack Obama website accepted a comment from a visitor but did not escape nor strip out angle-brackets and quotemarks. A YouTube clip from zennie62 demonstrates the attack. The clip shows a user clicking on the blog section of the Barack Obama site, which caused the browser to redirect to hillaryclinton.com. Funny! :) I still love the design of barackobama.com though.

Author

seven

CEO/CTO at Nivas®

Follow me Website Twitter GitHub LinkedIn

Neven Jacmenović has been passionately involved with computers since late 80s, the age of Atari and Commodore Amiga. As one of internet industry pioneers in Croatia, since 90s, he has been involved in making of many award winning, innovative and successful online projects. He is an experienced full stack web developer, analyst and system engineer. In his spare time, Neven is transforming retro-futuristic passion into various golang, Adobe Flash and JavaScript/WebGL projects.

One thought on “What happens if you output unescaped user input?”

Fred
April 22, 2008 at 22:48

fucker

gooo Bama!

;)

Reply

What happens if you output unescaped user input?

One thought on “What happens if you output unescaped user input?”

Leave a Reply Cancel reply