TweetDeck XSS flap: Miscreants flash their naughty bits at users Twitter aficionados are being warned to log out of Twitter client TweetDeck and revoke its access to their accounts after an apparent cross-site scripting vulnerability was discovered. Multiple users – including El Reg's HQ in London, England – reported on Wednesday that they had seen a suspicious pop-up within Tweetdeck that …
I wish that they'd put some sort of protection against this kind of thing into the HTML spec, some sort of tag to mark a section to be text-only and should not be executed or rendered. To prevent XSS attack, you could always dynamically create a 'check code' at serving time. Or maybe use a length setting. Or both.
Something like this:
The source file would look this:
<NoExecute> (data to be displayed) </NoExecute>
and would be sent to the client as:
<NoExecute check=asgdy8y3894he98hqwdh> (Data to be displayed) </NoExecute check=asgdy8y3894he98hqwdh>
-or-
<NoExecute length=256> (data that has been padded to be 256 bytes in length) </NoExecute>
Something like this would solve a lot of problems and will help alleviate a lot of security issues where the user is allowed to enter arbitrary data.
My thought on the length method would be in cases where the input length has already been restricted to that amount earlier, such as on Twitter where you only have 160 characters of input or El Reg with the limit of 10,000 characters per post. Otherwise you'd use a check value.
I know we are all doomed, but I figure that with some protection like this, we'll be less doomed.
This post has been deleted by its author
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
