Simon Willison’s Weblog

Subscribe

Entries tagged security, xss

Filters: Type: entry × security × xss × Sorted by date


Weeknotes: Page caching and custom templates for Datasette Cloud

My main development focus this week has been adding public page caching to Datasette Cloud, and exploring what custom template support might look like for that service.

[... 924 words]

8:45 pm / 7th January 2024 / caching, security, varnish, xss, datasette, cloudflare, weeknotes, datasettecloud

Datasette 0.51 (plus weeknotes)

I shipped Datasette 0.51 today, with a new visual design, plugin hooks for adding navigation options, better handling of binary data, URL building utility methods and better support for running Datasette behind a proxy. It’s a lot of stuff! Here are the annotated release notes.

[... 2020 words]

4:22 am / 1st November 2020 / projects, security, urls, xss, datasette, weeknotes, annotatedreleasenotes

What Javascript tools are there for cleansing input?

Don’t cleanse. Escape instead.

[... 18 words]

12:18 pm / 30th July 2013 / security, xss, quora

What are the best practices to avoid XSS and SQL Injections attacks (platform agnostic)?

Input validation is, in my opinion, a red herring. Sure—if you ask the user for an integer or date you should make sure they entered one before attempting to save it anywhere or use it for processing, but injection attacks often involve text fields (e.g. names, or comments posted on Quora) and validating those on input is a recipe for banning “Tim O’Reilly” from ever creating a proper profile on your site!

[... 316 words]

11:43 am / 4th February 2012 / hacking, security, sqlinjection, xss, quora

Why are XSS attacks spreading like fire these days?

XSS attacks are common and easy, and crop up all the time. What’s new is that the number of people who are aware of the potential for XSS worms has increased hugely, so when an XSS does crop up in something popular there’s a much higher chance of someone turning it in to a worm (as happened with Twitter the other day).

[... 96 words]

5:29 pm / 27th September 2010 / javascript, security, webapps, xss, quora

Why do some people disable JavaScript in their browser?

For security reasons.

[... 159 words]

1:37 pm / 25th August 2010 / csrf, javascript, privacy, security, xss, quora

Designing for a security breach

User account breaches are inevitable. We should take that in to account when designing our applications.

[... 545 words]

9:29 pm / 30th September 2007 / accounts, csrf, designingforabreach, openid, phishing, privacy, security, xss

The Register hit by XSS

Here’s a nasty one: popular tech news site The Register was hit on Saturday by the Bofra exploit, a nasty worm which uses an iframe vulnerability in (you guessed it) Internet Explorer to install nasty things on the victim’s PC. Where it gets interesting is that the attack wasn’t against the Register themselves; it came through their third party ad serving company, Falk AG.

[... 262 words]

8:32 am / 22nd November 2004 / javascript, security, theregister, xss

Security and coding style

A couple of good web development security resources:

[... 127 words]

8:27 pm / 20th December 2002 / c, linux, security, xss

Types

Years

Tags