Category Archives: cross site scripting

Mitigations against critical universal cross-site scripting vulnerability in fully patched Internet Explorer 10 and 11

This week David Leo disclosed a critical universal cross-site scripting vulnerability in fully patched Microsoft Internet Explorer 10 and 11 (from now on called the UXSS leak). He notified Microsoft on October 13 last year, but Microsoft didn’t publish a … Continue reading

Posted in browser security, cross site scripting, security vulnerability, website security | 1 Comment

Cross-site scripting in millions of web sites

In August 2014 I found a severe cross-site scripting security vulnerability in the latest version (1.13.0) of the ‘jQuery Validation Plugin‘ during a security penetration test for a customer. This jQuery plugin which adds easy form validation functionality to a web site, is … Continue reading

Posted in cross site scripting, Google, PHP, responsible disclosure | 62 Comments

PHP: htmlEntities() and Cross Site Scripting

When printing user input in an attribute of an HTML tag, the default configuration of htmlEntities() doesn’t protect you against Cross Site Scripting (XSS), when using single quotes to define the border of the tag’s attribute-value. XSS is then possible … Continue reading

Posted in cross site scripting, PHP security | Comments Off on PHP: htmlEntities() and Cross Site Scripting

Artikel gepubliceerd: Webprogrammer’s Hacking Guide

Op PHPFreakz.nl heb ik het artikel Webprogrammer’s Hacking Guide geplaatst. Dit artikel is bedoeld voor webprogrammeurs die veilig willen programmeren of bezorgd zijn over de veiligheid van hun scripts. Het artikel is bedoeld voor zowel beginners als gevorderden en voor … Continue reading

Posted in article, cross site scripting, PHP security, security audit, website | Comments Off on Artikel gepubliceerd: Webprogrammer’s Hacking Guide