Discover Hacks/Cracks News
Cross-site scripting: Use a custom tag library to encode dynamic content
Most Web sites today add dynamic content to a Web page making the experience for the user more enjoyable. Dynamic content is content generated by some server process, which when delivered can behave and display differently to the user depending upon their settings and needs. Dynamic Web sites have a threat that static Web sites don't, called "cross-site scripting," also known as "XSS."
"A Web page contains both text and HTML markup that is generated by the server and interpreted by the client browser. Web sites that generate only static pages are able to have full control over how the browser user interprets these pages. Web sites that generate dynamic pages do not have complete control over how their outputs are interpreted by the client. The heart of the issue is that if untrusted content can be introduced into a dynamic page, neither the Web sites nor the client has enough information to recognize that this has happened and take protective actions," according to CERT Coordination Center, a federally funded research and development center to study Internet security vulnerabilities and provide incident response.
The link for this article located at IBM developerWorks is no longer available.