Radiant Core: site tag http://www.radiantcore.com/ All of the Radiant Core posts tagged with site. en-ca Copyright 2006, Radiant Core Inc. All rights reserved. webmaster@radiantcore.com webmaster@radiantcore.com <![CDATA[Another site launches]]> Martin Kuplens-Ewart <info@radiantcore.com> http://www.radiantcore.com/blog/archives/09/01/2008/wildlawlaunch http://www.radiantcore.com/blog/archives/09/01/2008/wildlawlaunch http://www.radiantcore.com/blog/archives/09/01/2008/wildlawlaunch#comments launched their new site this week. It's a very different looking site for a very different law firm, and has features such as live-filtering lawyer and transaction listings (with obligatory vcard downloads), customised JavaScript market update on the homepage, and plenty of RSS feeds.

I'm especially pleased because I headed up the design and build - call it a little parental pride!

The project includes some interesting technical elements - all AJAX is built using the YUI toolkit; we've added some handlers in place to combat Internet Explorer's difficulties with displaying layers over HTML elements such as drop-downs; and there are a number of interesting cross-links between content areas that combine for great exploration.
]]> Taking Care of Business, HTML/CSS, Design Wed, 09 Jan 2008 12:00:00 GMT <![CDATA[5 Tips for protecting your site against XSS]]> Michael Bodalski <info@radiantcore.com> http://www.radiantcore.com/blog/archives/18/07/2006/5xsstips http://www.radiantcore.com/blog/archives/18/07/2006/5xsstips http://www.radiantcore.com/blog/archives/18/07/2006/5xsstips#comments While some still debate the risks associated with cross-site scripting (XSS) attacks, after the high exposure attacks against MySpace and Hotmail the pendulum has definitly swung in the direction of treating XSS as seriously as other more common injection type attacks. Either way, as with most things involving security on the web, it never hurts to err on the side of caution. The trick with XSS is that since the problem isn't specific to a particular technology, it can be tricky to know if you are vulnerable. Here are five common XSS injection techniques to check for any time you accept user input on your site.

  1. Your forms accept unnecessary HTML tags: This one should be obvious, but if a form on your site lets a user insert a tag in a comments form, you've got a potential problem. Unless there is a very good reason for it, it's usually not advisable to let users send HTML entities through a form.
  2. Failing to validate properties in anchor tags: It's often convenient or necessary to allow users to insert HTML in their input. If your site allows this, it is highly advisable to validate the properties passed along with the HTML. A common exploit is to hide script source inside of URLs. Depending on the user's browser, <a href="http://domain.com/page.asp?value=<script>code</script> will escape the URL and execute the value contained within the script tags.
  3. Not checking for correct data types: As with anchor tags, it's possible for a user to insert code disguised within an img tag. Since it's possible to have a server side script generate an image dynamically, most browsers will accept <img src="http://domain.com/script.php"> as a valid image resource. However accepting such input without verifying what value is being returned exposes your site to possible risks.
  4. Not cleaning user added CSS: As Niklas Bivald points out in his A List Apart article "Community Creators, Secure Your Code!", in-line CSS styling provides another opportunity. Niklas spends far more time on the subject than I can here including suggestions for cleaning input.
  5. Ignoring <embed> and <object> tags: While Javascript is the most common tool for implementing an XSS attack, you should also be careful that users can't link to external objects that have their own scripting languages. For example, Flash could be used to display an element on a page, or even open new browser windows. Since <embed> ad <object> tags are not directly dangerous, many developers overlook them when filtering user input.

For more information on XSS vulnerabilities, I highly recommend reading HTML Code Injection and Cross-site scripting which provides detailed information on detecting and filtering user input to protect your site from attack.

]]> HTML/CSS Tue, 18 Jul 2006 11:00:00 GMT