Talk:Cross-site scripting

From MediaWiki.org
Jump to navigation Jump to search

what?[edit]

okay escape everything, I get it. But what the f**k is escaping? Before we tell people to escape everything shouldn't we explain:

  1. what escaping is
  2. an example of escaping?

This article as it currently is written does not help me at all, unfortunately to my knowledge, this article is the closest instructions to this security issue this site has. Igottheconch 01:08, 13 December 2011 (UTC)

I give up. I simply don't have the computer knowledge to understand this, and 99% of most people won't understand this article either. That would not matter, except this seems to be a serious issue. Igottheconch 01:40, 13 December 2011 (UTC)
Escaping is converting e.g. "<span>" to what you see here, with that I mean that the span tag is not used as a span tag, is is displayed as text because it is escaped using the nowiki tag. Another example: $variable = 'Pagina's'; must be escaped to $variable = 'Pagina\'s';. Some related info: w:Escape character. SPQRobin 03:04, 13 December 2011 (UTC)
thank you so much for responding spq! god bless. Igottheconch 06:03, 13 December 2011 (UTC)
okay so in the example of extension:balloons, in the balloon I make, instead of typing:
<th colspan=3 bgcolor=lightblue>THIS IS A TABLE</th>
I would type:
<th colspan=3 bgcolor=lightblue>THIS IS A TABLE</th>
The Template:XSS alert says:
strictly validate user input and/or apply escaping to all characters that have a special meaning in HTML
It does not say WHERE do validate and apply escaping this would only be within the extension correct?
So instead would this be correct and clearer:
Apply escaping to all characters in all extension edits that have a special meaning in HTML
Also which characters have "special meaning" in HTML? Igottheconch 00:36, 16 December 2011 (UTC)
Found an answer to last question: Special Characters to Escape is this correct? Igottheconch 00:38, 16 December 2011 (UTC)
For the table, it depends on whether you want it to be displayed literally or parse it as HTML. Anything you want to be parsed as HTML should not be escaped. I suppose a table should be rendered as a table so you don't need to escape it. The page you link to is not relevant (it's about .NET), instead look at e.g. php.net. About where to escape within the extension, it depends on the source code but I'm certainly not an expert on escaping. SPQRobin 00:15, 17 December 2011 (UTC)

thank you again. Igottheconch 08:00, 17 December 2011 (UTC)

see also[edit]