What are the risks of cross-site documentation?
In their warning, CISA and FBI define XSS vulnerabilities as those errors that “occur when manufacturers fail to properly validate, clean, or escape input. This failure allows malicious actors to inject malicious scripts into web applications, and use them to control, steal, or misuse data in all different situations.”
An XSS vulnerability is “any opportunity you have for data to be unsanitized, and then used somewhere else,” Tim Mackey, head of software vulnerability strategy for Synopsys Software Integrity Group, tells CSO. “This is really, ‘Can I put HTML tags on things? Can I go and serve human-supplied data to a place where it shouldn’t be used?'”
Basically, the problem with XSS is the constant need to clean up data by users so it can’t be interpreted as HTML code that can be passed to other sites. “In cross-site coding, when you show something, you have to make sure that when it comes to the user, you escape it, so that it is not interpreted as HTML code and used in the context of that website,” Yves Younan, who leads the vulnerability detection and research team at Cisco Talos, he tells the CSO.
Source link