HTML Injection

HTML injection is also sometimes referred to as virtual defacement. This is a problem separate from injecting scripting languages such as JavaScript. Typically, HTML injection involves rendering some form of user input without proper sanitation.

  • Learning from Coinbase: Do not simply decode URL encoded values when rendering text. (For hackers: escape HTML entities, you might be able to bypass the filters.)
  • Learning from Wordpress: Do not simply render what's in URL parameters. (For a hacker: Keep an eye on URL parameters that resemble things rendered on the site. Maybe by changing them, you can update what's rendered. Maybe by doing so, you can trick people into some malicious actions.)

results matching ""

    No results matching ""