PragProg Customers

Release It! Second Edition: about Cross-Site Scripting (page 221)

rachelcarmena

rachelcarmena

About “Cross-Site Scripting”:

Cross-site scripting (XSS) happens when a service renders a user’s input directly into HTML without applying input escaping.

I’d prefer “without applying input encoding”.

“escaping” and “encoding” could be used for the same purpose. Even OWASP talks about “encode/escape” in some pages. However, I’d prefer “encoding” because of this reason:

“Writing these encoders is not tremendously difficult, but there are quite a few hidden pitfalls. For example, you might be tempted to use some of the escaping shortcuts like " in JavaScript. However, these values are dangerous and may be misinterpreted by the nested parsers in the browser. You might also forget to escape the escape character, which attackers can use to neutralize your attempts to be safe. OWASP recommends using a security-focused encoding library to make sure these rules are properly implemented.”

Source: Cross Site Scripting Prevention - OWASP Cheat Sheet Series

View thread on forum
/book-release-it-second-edition#suggestion
0 580 0

Popular Prag Prog topics Top

Razor54672
PragProg Customers

Practical Programming, Third Edition: Incorrect Answer in Chapter 5 Exercise Solution
The answer to 3rd Problem of Chapter 5 (Making Choices) of “Practical Programming, Third Edition” seems incorrect in the given answer ke...
#errata/book-practical-programming-third-edition
2 1040 0
New
lirux
PragProg Customers

The Ray Tracer Challenge: "Computing the normal on a transformed sphere" ebook test
Hi Jamis, I think there’s an issue with a test on chapter 6. I own the ebook, version P1.0 Feb. 2019. This test doesn’t pass for me: ...
#errata/book-the-ray-tracer-challenge
10 1438 5
New
mikecargal
PragProg Customers

Hands-on Rust: question about get_component
Title: Hands-on Rust: question about get_component (page 295) (feel free to respond. “You dug you’re own hole… good luck”) I have somet...
#question/book-hands-on-rust
1 1158 5
New
herminiotorres
PragProg Customers

Programming Phoenix LiveView: Typo
Hi! I know not the intentions behind this narrative when called, on page XI: mount() |> handle_event() |> render() but the correc...
#errata/book-programming-phoenix-liveview
3 1296 17
New
leba0495
PragProg Customers

A Common-Sense Guide to Data Structures and Algorithms, Second Edition: (pg460)
Hello! Thanks for the great book. I was attempting the Trie (chap 17) exercises and for number 4 the solution provided for the autocorre...
#errata/book-a-common-sense-guide-to-data-structures-and-algorithms-second-edition
0 1147 3
New
curtosis
PragProg Customers

Build a Weather Station with Elixir and Nerves: 'mix deps.get' does not work if user has not created a keyfile (page 16)
Running mix deps.get in the sensor_hub directory fails with the following error: ** (Mix) No SSH public keys found in ~/.ssh. An ssh aut...
#errata/book-build-a-weather-station-with-elixir-and-nerves
2 1433 3
New
brunogirin
PragProg Customers

Python Testing with pytest, Second Edition: error when running tox in parallel (page 151)
When trying to run tox in parallel as explained on page 151, I got the following error: tox: error: argument -p/–parallel: expected one...
#errata/book-python-testing-with-pytest-second-edition
0 1101 1
New
NaplesDave
PragProg Customers

PragProg Customers Kotlin and Android Development: pg. 8 Build Gradle error: Could not get unknown property 'kotlin_version'
I am using Android Studio Chipmunk | 2021.2.1 Patch 2 Build #AI-212.5712.43.2112.8815526, built on July 10, 2022 Runtime version: 11.0....
#question/book-kotlin-and-android-development-featuring-jetpack
0 1377 2
New
mcpierce
PragProg Customers

Kotlin and Android Development featuring Jetpack: Unique constraint error when running chapter 5 code changes
@mfazio23 I’ve applied the changes from Chapter 5 of the book and everything builds correctly and runs. But, when I try to start a game,...
/book-kotlin-and-android-development-featuring-jetpack
0 1132 10
New
dachristenson
PragProg Customers

Kotlin and Android Development featuring Jetpack: No activity_main.xml anymore
I just bought this book to learn about Android development, and I’m already running into a major issue in Ch. 1, p. 20: “Update activity...
#errata/book-kotlin-and-android-development-featuring-jetpack
0 1947 6
New

Other popular topics Top

AstonJ
General Dev Chat

What are you listening to?
A thread that every forum needs! Simply post a link to a track on YouTube (or SoundCloud or Vimeo amongst others!) on a separate line an...
#community#music
193 4238 93
New
AstonJ
Hardware

Which keyboard do you have?
If it’s a mechanical keyboard, which switches do you have? Would you recommend it? Why? What will your next keyboard be? Pics always w...
#hardware/keyboards#mechanical-keyboards#sticky
144 8208 50
New
AstonJ
General Dev Chat

Best chairs for developers?
What chair do you have while working… and why? Is there a ‘best’ type of chair or working position for developers?
#workspace#opinions
74 4630 41
New
dasdom
General Dev Chat

Standing Desks
No chair. I have a standing desk. This post was split into a dedicated thread from our thread about chairs :slight_smile:
#workspace#opinions
177 8405 77
New
DevotionGeo
Backend Developer Forum>Chat/Discussions

Would you use Erlang now when there is Elixir?
Why, if your answer is yes?
/elixir/erlang
167 4163 52
New
AstonJ
Hardware

GMK Serika Keycaps - Serika 2 available to order now!
I have seen the keycaps I want - they are due for a group-buy this week but won’t be delivered until October next year!!! :rofl: The Ser...
/keyboards#keycaps#mechanical-keyboards
9 4158 7
New
Exadra37
Linux Developer Forum>Questions/Help

What is the most minimalist Linux server distro?
I am asking for any distro that only has the bare-bones to be able to get a shell in the server and then just install the packages as we ...
#linux#servers
66 19919 25
New
mafinar
Backend Developer Forum>Chat/Discussions

Data Structures and Algorithms with Elixir
This is going to be a long an frequently posted thread. While talking to a friend of mine who has taken data structure and algorithm cou...
/elixir#algorithms#data-structures
108 8797 32
New
First poster: joeb
In The News

Safari now supports File System Access API with private origin
The File System Access API with Origin Private File System. WebKit supports new API that makes it possible for web apps to create, open,...
webkit.org
#safari#api
43 2738 22
New
PragmaticBookshelf
In The Spotlight

Spotlight: Karl Stolley (Author) Interview and AMA!
Author Spotlight: Karl Stolley @karlstolley Logic! Rhetoric! Prag! Wow, what a combination. In this spotlight, we sit down with Karl ...
#author-spotlight/book-programming-webrtc
31 3516 17
New
Back to top

Latest in PragProg

Ash Framework B4: passing map instead of string in search_artists! (page 85)
PragProg Customers
Hotwire Native for Rails Developers: navigatorHostId value (pages 28, 29, 30)
PragProg Customers
Ash Framework B4: typo and missing comma (143)
PragProg Customers
Machine Learning in Elixir: Chapter 4. Bug with avg_loss counting
PragProg Customers
Agile Web Development with Rails 8: (page 54)
PragProg Customers
Advanced Hands-on Rust: Mars elements mismatch in text and code (B3 p264)
PragProg Customers
Advanced Hands-on Rust: Mars mesh calculation wrong (B3 p248)
PragProg Customers
Tmux 3: paste-command not recognized (pg 59)
PragProg Customers
Pragmatic Unit Testing in Java with JUnit, Third Edition: assertEquals arguments reversed (page 241)
PragProg Customers
Advanced Hands-on Rust: Mars bounce code wrong (B3 p236)
PragProg Customers
Advanced Hands-on Rust: Flappy dimensions are wrong (height should be 45)
PragProg Customers
Advanced Hands-on Rust: B3 Chapter 8 compilation issue
PragProg Customers
Agile Web Dev with Rails 8 (pg 93)
PragProg Customers
Engineering Elixir Applications: JPperf workaround clarification (page 144)
PragProg Customers
Agile Web Development with Rails 8: live product refresh not working in chapter 6, page 83
PragProg Customers

View all threads ❯

Latest (all)

An Experimental Study of Bitmap Compression vs. Inverted List Compression
In The News
The Meter, Golden Ratio, Pyramids, and Cubits, Oh My
In The News
Enhancing Frame Detection with Retrieval Augmented Generation
In The News
Google’s 'consent-less' Android tracking probed by academics
In The News
Tattoo ink exposure is associated with lymphoma and skin cancers – a Danish study of twins - BMC Public Health
Health & Diet
Another Conflict Between Privacy Laws and Age Authentication-Murphy v. Confirm ID - Technology & Marketing Law Blog
In The News
Rocky Linux: The Rocky Enterprise Software Foundation endorses the United Nations Open Source Principles
Linux News
MySQL 9 Essentials (PragProg)
Backend Learning Resources
How to run Ollama deepseek-coder:6.7b-instruct-q4_K_M in Docker for CrewAI Agents?
Backend Questions/Help
Apple's Software Quality Crisis: When Premium Hardware Meets Subpar Software
In The News
DuckDB goes distributed? DeepSeek’s smallpond takes on Big Data
In The News
How to Set Up a Free RTMP Server in 2025?
Blogs/Articles/Talks/Podcasts
Apple's C1 modem breaks no records for speed, but is exceptionally power efficient
In The News
Phlex for Rails Emails: Action Mailer without ERB
In The News
Ghost hunting, pornography and interactive art: the weird afterlife of Xbox Kinect
In The News

View all threads ❯

We ❤️ helpful members!

We reward our most helpful members via our MOTM scheme - by giving away a whopping 25 books per year!

Member of the Month

Devtalk Sponsors

Pragmatic Bookshelf

Practical resources that improve the lives of professional developers.

Erlang Solutions

We build trusted fault-tolerant systems that scale to billions of users.

AppSignal

Catch errors, track performance, monitor hosts and more.

WyeWorks

Enabling companies to succeed by building software people love.

Pragmatic Studio

Courses that'll move you from confusion to "Aha, now I get it!"

View all our sponsors ❯

Categories:

Popular Portals

Devtalk Sponsors

Pragmatic Bookshelf

Practical resources that improve the lives of professional developers.

Erlang Solutions

We build trusted fault-tolerant systems that scale to billions of users.

AppSignal

Catch errors, track performance, monitor hosts and more.

WyeWorks

Enabling companies to succeed by building software people love.

Pragmatic Studio

Courses that'll move you from confusion to "Aha, now I get it!"

View all our sponsors ❯

We're in Beta

About us Mission Statement See our Roadmap