A client of mine recently tasked me with figuring out why the newer versions of IE were throwing a Cross Site Scripting (XSS) error. For the life of me, couldn’t figure out why. Maybe it was because they were submitting a form to another server? Or perhaps because the Javascript was closing the window when it was done? I don’t know. But, I did find a nice little trick that allows you to disable the Cross Site Scripting(XSS) filter in IE.
All that you need to do is add “X-XSS-Protection: 0″ to the response header. For instance, to disable the Cross Site Scripting(XSS) filter all you do is:
header(“X-XSS-Protection: 0″);
That’s it. Usually that will resolve any XSS errors you have. It may not be the best solution from a security stand point, but it’ll work in a pinch,
As any good free-lance web developer does, I was browsing my competition’s portfolio earlier this evening. I was curious as to how the layout was done on one of their client’s web pages, so I opened the source. Near the bottom, there were probably 100 links injected into the page. It turns out that they were the victim of a cross-site scripting attack.
I immediately notified the owner, but I’m still pretty excited that I made a discovery like this. You hear about cross-site scripting attacks all the time, but I’ve never actually discovered one.
For those interested, the site in question is: http://www.skydivecms.com/
I’m not a Flex developer, but I’m quickly becoming one. Recently I was tasked with creating a Flex form, sending it to the server, waiting for a response, and handling things accordingly. My problem was that I couldn’t figure out how to use my result set that I received from the server. Turns out, I needed to import a EventResult library, which was the turning point.
The Actionscript
import mx.rpc.events.ResultEvent;
private function thanks(evt:ResultEvent):void{
var dataFromServer:XML = XML(evt.result);
mx.controls.Alert.show(dataFromServer.toXMLString());
}
The Flex
<mx:HTTPService
id=”srv” useProxy=”false”
url=”http://localhost/form.php” method=”POST”
contentType=”application/x-www-form-urlencoded”
resultFormat=”xml” result=”thanks(event); “>
<mx:request>
<name>
{ bname.text }
</name>
<address>
{ baddress.text }
</address>
</mx:request>
</mx:HTTPService>
What happens here is that the HTTPService sends my data to the server, then some new data is returned in XML format. Important things to remember are the ResultEvent that is passed to the event handler. Just passing a normal event didn’t do much for me.
After dragging my feet on open source contribution for some time, I’ve decided to get actively involved with Ubuntu. I’m going to start by learning how to package different things, and then go from there. I would eventually like to get a new package into the next version of Ubuntu, but I think starting small would be great too 
As the job prospects in my neck of the woods are few and far between, I will most likely be returning to grad school this spring. While it isn’t best situation, it is currently the best choice I have to make ends meet and further my career. I won’t be taking my grad assistantship back either. It was far too time consuming and did little to further me as a person or as a software developer. I have instead opted for contracting through various people with hopes that it may eventually become a full time thing.
Wish me luck!
Uncategorized | jack | 
January 26, 2010 10:12 am | 
Comments (0)