Yes, you are absolutely right! However it seems the possible damage is very limited. I just tried this out and it works in both Firefox 1.5 and IE6, but surprisingly NOT in IE7. Here is what I did:
First I made a css class called test in a seperate.css file in which the background-image property had the following text:
Then I just made a simple html page with a div tag of that class. When I navigated to the page, it almost instantly redirected to google. It also worked with putting the same text in the style attribute of a tag. However, I tried doing some other things, such as calling alert() and document.write(), and appending document.cookie to the url, but these all did not work. In firefox, the javascript console reported "Uncaught Exception: Permission Denied" on those scripts. IE6 and 7 simply did nothing. So while you can use this to screw up a page, it doesn't seem like you can do more serious things like session hijacking. But I agree with you that the best solution is just to strip all HTML.
Perhaps the author is unaware of the PHP function strip_tags. Or in a more general sense, a simple regular expression can be used to remove script tags or all HTML tags from a string. That's seriously all you need to do to eliminate XSS. The only times when XSS holes exist are when lazy or oblivious coders forget to call the function on any input passed to a script.
As far as the seriousness of XSS, I think the author is heavily downplaying the issue. With the xmlhttprequest it is easier than ever to use XSS to hijack users' sessions. For example, in a messageboard post or something I could put a simple script that uses an xmlhttprequest object to send the user's cookies with the session id to a remote script. The script can then immediatly hijack the user's session and steal information or whatnot, before the user even navigates to a different page.
Is there a good reason why this happened on May 2, and only now they are publishing an article about this?
Not that I've even been able to see the video yet. NASA can put a man on the moon but they can't keep a server running more than 10 minutes before getting slashdotted.
Probably when this thing is actually released we'll be plugging our computers directly into our brains and won't need something as primitive as a mouse and keyboard to play games.
These anti-game activists keep saying that video games increase aggression and violent behavior. However I find that hard to believe considering US Crime Rates have in fact been decreasing since videogame began getting popular in the early 90s.
AT&Ts arguement is that it doesn't matter how fast your connection is, once your packets travel through the internet backbone, they're gonna get slowed down anyway. This has 2 major flaws:
1. Many many connections do not travel through the backbone. sure a connection from NY to LA will, but probably not from your house to your neighbors. AT&T only seems to be thinking about IPTV, but people are going to want fast connections for many other uses.
2. Eventually the backbone will be faster, and AT&T customers will be stuck with the slower connection.
I think perhaps one reason they are avoiding buying a patent license is because they are planning on doing away with activex. I've already heard the xmlhttprequest used for Ajax will be built in to IE7 and not as an activex control. Its possible other things like Flash and Acrobat will do the same.
This seems like a backfired attempt by Yahoo to comply with the Chinese government, much in the same way Google is censoring search results. TFA doesn't go into detail why Yahoo released the information, how it was released, or to whom it was released, but my speculation is that the government possibly theatened to block Yahoo or take some other measure if they didn't reveal the information they wanted.
...you have to release bug fix patches for a console.
Not having to worry about bugs, installations, and updates are major factors in what makes consoles more appealing than PCs for gaming. It seems to me Microsoft is failing to realize this.
Fps on a console is nothing new, but IMO ever since the days of goldeneye on N64 all the way up through Halo 2, using an analog stick and a d-pad has always been cumbersome. This new controller is basically like a 3D mouse, and if they do it right (which it looks like they have), this could really be the first time where people like me who only do fps on a PC will go for the consoles.
I am very much looking forward to getting my hands on a revolution.
So they found out about a potential serious problem 2 minutes after liftoff and they said nothing until 5 months later? Seems to me that NASA is trying to save face and not doing a good job at it.
I've always been a strong supporter of NASA, but enough is enough, they just keep dumping billions of dollars into the space shuttle program and nothing constructive is happening.
the article isn't really talking about making movies based on games (most of which do suck royally), but its talking about using the same technology to make both a movie and a game at the same time based on the same story.
This is not a brand new idea, I can recall Enter the Matrix as a game that was specifically made to be a counter-part of the movie, but I think there is a long way to go before movies and games are made out of the same stuff.
One dollar per CPU hour consumed. $1 per gig of storage used. $1 per 50 gigs of data processed. $1 per gig of data uploaded (if you are putting your new service up on their platform).
So basically what this article is saying is "nanotechnology is cool but it may have problems but we're not sure yet so just pretend everything is fine."
I think it may be due to the fact that programs like realplayer usually go to a homepage when you launch the program. As far as I can tell its just an ordinary web browser built into the program, so they probably included those visits in their numbers.
Slashdot Mirror
Yes, you are absolutely right! However it seems the possible damage is very limited. I just tried this out and it works in both Firefox 1.5 and IE6, but surprisingly NOT in IE7. Here is what I did:
.css file in which the background-image property had the following text:
l e.com\'')
First I made a css class called test in a seperate
background-image: url('javascript:window.location=\'http://www.goog
Then I just made a simple html page with a div tag of that class. When I navigated to the page, it almost instantly redirected to google. It also worked with putting the same text in the style attribute of a tag. However, I tried doing some other things, such as calling alert() and document.write(), and appending document.cookie to the url, but these all did not work. In firefox, the javascript console reported "Uncaught Exception: Permission Denied" on those scripts. IE6 and 7 simply did nothing. So while you can use this to screw up a page, it doesn't seem like you can do more serious things like session hijacking. But I agree with you that the best solution is just to strip all HTML.
Perhaps the author is unaware of the PHP function strip_tags. Or in a more general sense, a simple regular expression can be used to remove script tags or all HTML tags from a string. That's seriously all you need to do to eliminate XSS. The only times when XSS holes exist are when lazy or oblivious coders forget to call the function on any input passed to a script.
As far as the seriousness of XSS, I think the author is heavily downplaying the issue. With the xmlhttprequest it is easier than ever to use XSS to hijack users' sessions. For example, in a messageboard post or something I could put a simple script that uses an xmlhttprequest object to send the user's cookies with the session id to a remote script. The script can then immediatly hijack the user's session and steal information or whatnot, before the user even navigates to a different page.
Is there a good reason why this happened on May 2, and only now they are publishing an article about this? Not that I've even been able to see the video yet. NASA can put a man on the moon but they can't keep a server running more than 10 minutes before getting slashdotted.
Probably when this thing is actually released we'll be plugging our computers directly into our brains and won't need something as primitive as a mouse and keyboard to play games.
I wish I was smart enough to think of something that cool.
These anti-game activists keep saying that video games increase aggression and violent behavior. However I find that hard to believe considering US Crime Rates have in fact been decreasing since videogame began getting popular in the early 90s.
AT&Ts arguement is that it doesn't matter how fast your connection is, once your packets travel through the internet backbone, they're gonna get slowed down anyway. This has 2 major flaws:
1. Many many connections do not travel through the backbone. sure a connection from NY to LA will, but probably not from your house to your neighbors. AT&T only seems to be thinking about IPTV, but people are going to want fast connections for many other uses.
2. Eventually the backbone will be faster, and AT&T customers will be stuck with the slower connection.
I think perhaps one reason they are avoiding buying a patent license is because they are planning on doing away with activex. I've already heard the xmlhttprequest used for Ajax will be built in to IE7 and not as an activex control. Its possible other things like Flash and Acrobat will do the same.
This seems like a backfired attempt by Yahoo to comply with the Chinese government, much in the same way Google is censoring search results. TFA doesn't go into detail why Yahoo released the information, how it was released, or to whom it was released, but my speculation is that the government possibly theatened to block Yahoo or take some other measure if they didn't reveal the information they wanted.
...you have to release bug fix patches for a console.
Not having to worry about bugs, installations, and updates are major factors in what makes consoles more appealing than PCs for gaming. It seems to me Microsoft is failing to realize this.
the derivative of a function f at a is f'(a) = lim:h->0 (f(a+h) - f(a))/h thats pretty much the basis of calculus
Fps on a console is nothing new, but IMO ever since the days of goldeneye on N64 all the way up through Halo 2, using an analog stick and a d-pad has always been cumbersome. This new controller is basically like a 3D mouse, and if they do it right (which it looks like they have), this could really be the first time where people like me who only do fps on a PC will go for the consoles. I am very much looking forward to getting my hands on a revolution.
it is possible they stole "extremely sensitive" information. I bet they raided the government's pr0n library
Well you sir are a fastishio, see I can make up words too.
So they found out about a potential serious problem 2 minutes after liftoff and they said nothing until 5 months later? Seems to me that NASA is trying to save face and not doing a good job at it. I've always been a strong supporter of NASA, but enough is enough, they just keep dumping billions of dollars into the space shuttle program and nothing constructive is happening.
the article isn't really talking about making movies based on games (most of which do suck royally), but its talking about using the same technology to make both a movie and a game at the same time based on the same story. This is not a brand new idea, I can recall Enter the Matrix as a game that was specifically made to be a counter-part of the movie, but I think there is a long way to go before movies and games are made out of the same stuff.
One dollar per CPU hour consumed. $1 per gig of storage used. $1 per 50 gigs of data processed. $1 per gig of data uploaded (if you are putting your new service up on their platform).
Google's stock is so high right now, I'm guessing there's going to be a split soon. That's usually a good time to buy.
So basically what this article is saying is "nanotechnology is cool but it may have problems but we're not sure yet so just pretend everything is fine."
I think it may be due to the fact that programs like realplayer usually go to a homepage when you launch the program. As far as I can tell its just an ordinary web browser built into the program, so they probably included those visits in their numbers.