Cross-site scripting is gonna HTTP GET you

February 10th, 2010 | Posted by Quixey in Technology - (1 Comments)

While adding Markdown support for Quixey, we realized that Markdown’s support for raw HTML created an enormous cross-site scripting vulnerability.

We consulted the XSS Cheat Sheet and learned that there are hundreds of sinister tricks for hackers to inject malicious JS into any input field that offers a bare minimum of HTML support. (more…)

DOM = Frame buffer

February 2nd, 2010 | Posted by Quixey in Technology - (7 Comments)

If you’re writing a large-scale AJAX application, is it okay to write code like this?

if (jQuery("#file_menu").is(":visible")) { ... }

No, it’s not okay at all. The problem is relying on the DOM to store your program’s state. We want to argue that, despite its tree structure, the DOM only encodes your application’s output — and not its semantics. (more…)