have browser, will travel

February 8, 2000

In case you haven't seen it, here's the silly security advisory from CERT.

This has been an issue since the beginning of web time - it's amusing that it's coming to the front now.

Dvorak believes CERT is now Microsoft's mouthpiece to help them revive the old proprietary MSN. I was a subscriber on MSN in '95 when Win95 came out. I actually liked that service. (ducking)

When I first read the CERT advisory, the first thing I thought was, "That's funny, WebObjects apps are immune to this problem!"

WebObjects' "WOString" element, which is used to output a string to a web page, has a property called "escapeHTML". It's set to YES (true) by default. To make a WO app vulnerable to "Cross-site scripting" holes, you'd have to set that property (manually) to NO (false).

Of course, there are times (not many, depending on your app) you need to set escapeHTML to NO, but when you do that, you need to be smart.

New Apple TechInfo Library Article: WebObjects and Dynamic Content. (Found at Stepwise)