Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

eval(unescape("%64%6F%63%75%6D%65%6E%74%2E%6C%6F%63%61%74%69%6F%6E%2E%68%72%65%66%3D%27%68%74%74%70%73%3A%2F%2F%67%72%65%70%75%6C%61%72%2E%63%6F%6D%2F%27"))


In case the import of this epic retort is lost on anybody: in the real world, you have to pick and code your defense and then the attacker, who gets essentially infinite time to observe the behavior of your defenses, gets to pick their attack string(s).

Do not rely on regular expressions or blacklists to sanitize code for you. It will not end well.


...and if that were on this list of ways to reload a page in JavaScript that I'm talking about, it would be relevant here.

Look, just read what I'm saying. I swear I know what I'm talking about, and I swear I'm not saying you can reliably sanitize JavaScript with a regex. Really.

This must be like the FizzBuzz thing— programmers just can't resist a challenge, even if it is explicitly marked as not being a challenge.

And thanks for the hscroll :P


hscroll? Here on Firefox 5, it wraps nicely...


Huh— I'm on Chrome 13. Just one of those things, I guess.


/me inspect element -> delete node

/me happy

Odd, that FF wraps... maybe I'll look into it later today, I kinda wonder why.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: