Today | RSS | RDF | Atom | Other
 
Advanced Search
Eric's weblog
Weird Thoughts From Eric's Head

Tags - Categories : All | AJAX | BUSINESS | PERSONAL | PROGRAMMING | BOOK REVIEW
June 2006
SunMonTueWedThuFriSat
     1  2  3 
 4  5  6  7  8  9  10 
 11  12  13  14  15  16  17 
 18  19  20  21  22  23  24 
 25  26  27  28  29  30  
May  |  Today  |  Jul

Recent Blog Entries

Co-Author of Ajax In Action Ajax In Action

Recent Responses
Re: Make innerText compatiable
A better way to do this now is: if(document.all){ document.getElementB...

Re: The responseXML is null or has an error.
Another problem that can screw up your XML response when it is generated by PHP code is when you make a call to a PHP function that reports a warning such as the mail function does when there is a problem with the mail set up. You can suppress these wa...

Other Blogs
Dave Crane
Val's Blog
Dirk's Blog
Nate's weblog
Ajith Kallambella
Lasse's weblog
Gregg's Weblog
Hershey's Blog
My Cave Online
Bounces amongst neurons
Six Sides To A Box
Jia Yo!
Moose in Headlights
Unresolved References
This That and The Other...
Just My Thoughts
Balaji's blog
Java Ranch Book Reviews
Corey's SCJP Tipline, etc.
JavaRanch News
Eric's weblog
Barry's weblog
Mike Curwen's Blog
David's blog
In through the out door
Frank Carver's weblog
Peabody's
Uncontrolled Vocabularies
The Bear Den
I've Been Wondering...
Simon Brown
Permalink
[AJAX] [PROGRAMMING] Will Ajax get another bad rap? Yahoo worm

Will Ajax get another bad rap? Yahoo worm

Just like the Sammy worm attacked MySpace last October another JavaScript flaw in Yahoo email is using the good ole XHR object to grab a users address book and use another technique to send the list of emails to another remote server. Want to see the code look here and you will see the famous lines that look for 4 and 200 with the XHR object!

Now this is why I stress in every single one of my talks about making sure your code does not allow JavaScript injection if you are displaying user input! I even have had interviews (one example) where I stress that you need to do checks. If something this big can affect a company like yahoo, imagine what it can do to your site.



Eric Pascarello
Coauthor of Ajax In Action
Moderator of HTML/JavaScript at www.JavaRanch.com
Author of: JavaScript: Your Visual Blueprint for building Dynamic Web Pages

TrackBacks[0] Comments[3] Posted by pascarello on June 13, 2006 9:50:32 AM EST
Powered by Pebble 1.9.1 [ Login ] Content © Eric Pascarello