No One Is Perfect » Reminders http://watchitlater.com/blog A reluctant foray into the world of blogging. Tue, 08 Nov 2011 12:32:55 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 How to use rsync on OSX http://watchitlater.com/blog/2011/11/how-to-use-rsync-on-osx/ http://watchitlater.com/blog/2011/11/how-to-use-rsync-on-osx/#comments Tue, 08 Nov 2011 12:27:51 +0000 Tom http://watchitlater.com/blog/?p=391 I don’t really want to copy dot files (eg. .DS_Store), and I want to avoid the bug that rsync exhibits with time-capsule where it loops creating multiple ..DS_Store.xxxx files.

rsync -vrW --ignore-existing --exclude ".*" --progress ~/Movies/ /Volumes/Backup/Movies/

]]> http://watchitlater.com/blog/2011/11/how-to-use-rsync-on-osx/feed/ 0 How to delete all zero length files in a directory tree http://watchitlater.com/blog/2011/11/how-to-delete-all-zero-length-files-in-a-directory-tree/ http://watchitlater.com/blog/2011/11/how-to-delete-all-zero-length-files-in-a-directory-tree/#comments Tue, 08 Nov 2011 12:22:25 +0000 Tom http://watchitlater.com/blog/?p=389 find . -type f -size 0 -print0 | xargs -0 rm -f

]]> http://watchitlater.com/blog/2011/11/how-to-delete-all-zero-length-files-in-a-directory-tree/feed/ 1 Cross-Site Scripting vulnerability with JavaScript and JQuery http://watchitlater.com/blog/2011/10/cross-site-scripting-vulnerability-with-javascript-and-jquery/ http://watchitlater.com/blog/2011/10/cross-site-scripting-vulnerability-with-javascript-and-jquery/#comments Mon, 17 Oct 2011 09:30:13 +0000 Tom http://watchitlater.com/blog/?p=371 Think you’ve protected your site against Cross-Site scripting attacks by escaping all the content that you’ve rendered? Thought about your javascript?

Here’s a neat bug that got us today. This example is contrived to show a point.

<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8">
  <title>XSS Example</title>
  <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.4/jquery.min.js"></script>
  <script>
    $(function() {
      $('#users').each(function() {
        var select = $(this);
        var option = select.children('option').first();
        select.after(option.text());
        select.hide();
      });
    });
  </script>
</head>
<body>
  <form method="post">
    <p>
      <select id="users" name="users">
        <option value="bad">&lt;script&gt;alert(&#x27;xss&#x27;);&lt;/script&gt;</option>
      </select>
    </p>
  </form>
</body>
</html>

See the problem? Don’t worry, neither did the pair that worked on the javascript. But our QA showed us a neat little alert box!

It looks like the JQuery text() method returns the unescaped payload of the option, and the after() method then creates a nice little script tag. Nasty stuff.

How did we deal with the problem? This was our immediate fix:

  // after() accepts a DOM element so lets create a text node
  select.after(document.createTextNode(option.text()));

Longer term fix – still open to suggestions.

]]> http://watchitlater.com/blog/2011/10/cross-site-scripting-vulnerability-with-javascript-and-jquery/feed/ 1