Category: developers journal

What happens if you output unescaped user input?

Author: seven April 22, 2008

If you build a webapp targeted for small and friendly crowd - usually nothing. But when you build a website for American presidential candidate... Uh well, it smells like XSS. This weekend, Barack Obama website accepted a comment from a visitor but did not escape nor strip out angle-brackets and quotemarks. A YouTube clip from zennie62 demonstrates the attack. The clip shows a user clicking on the blog section of the Barack Obama site, which caused the browser to redirect to hillaryclinton.com. Funny! :) I still love the design of barackobama.com though.

Author
seven
CEO/CTO at Nivas®
Neven Jacmenović has been passionately involved with computers since late 80s, the age of Atari and Commodore Amiga. As one of internet industry pioneers in Croatia, since 90s, he has been involved in making of many award winning, innovative and successful online project. He is experienced full stack web developer, analyst and system engineer. In his spare time, Neven is transforming retro-futuristic passion into various golang, Adobe Flash and JavaScript/WebGL projects.

    One thought on “What happens if you output unescaped user input?”

  • fucker

    gooo Bama!

    ;)

  • Leave a Reply

    Your email address will not be published. Required fields are marked *

    You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>