Futurology website - feedback & crit needed!

Discussion in 'Websites' started by davedx, Mar 24, 2005.

0
  1. #1
    Hey all :)

    Well, been working on this site for the past few weeks, taken a bit longer than I thought it would, but then there was a certain amount of self-inflicted feature creep... anyway, it's about 95% finished now, all that really remains to be done is tidy up a couple of the articles and write a press release, then I'm going to start marketing it. Before I do, I'd like to cordially invite all and sundry to take a look. All comments, feedback, criticism very welcome - thanks in advance!

    The URL is: http://photonswarm.com

    Dave
     
    davedx, Mar 24, 2005 IP
  2. J.D.

    J.D. Peon

    Messages:
    1,198
    Likes Received:
    65
    Best Answers:
    0
    Trophy Points:
    0
    #2
    I would make links into blocks (so that the whole row would light up). Your registration form is vulnerable to XSS attacks - you need to fix it ASAP (use htmlspecialchars to encode input values before echoing).

    J.D.
     
    J.D., Mar 24, 2005 IP
  3. davedx

    davedx Peon

    Messages:
    429
    Likes Received:
    21
    Best Answers:
    0
    Trophy Points:
    0
    #3
    Thanks for the feedback JD!

    I'm afraid we've been here before, I've read up about this but I'm still confused about how the form is vulnerable to XSS - could you give me a demo of how it's vulnerable?
     
    davedx, Mar 25, 2005 IP
  4. J.D.

    J.D. Peon

    Messages:
    1,198
    Likes Received:
    65
    Best Answers:
    0
    Trophy Points:
    0
    #4
    Ok, give me a few minutes. I will attach a sample page with a long link. You can click the links and see it in action. I will remove the page in a short while.

    J.D.
     
    J.D., Mar 25, 2005 IP
  5. J.D.

    J.D. Peon

    Messages:
    1,198
    Likes Received:
    65
    Best Answers:
    0
    Trophy Points:
    0
    #5
    Apparently, you are quoting quotes, which makes things a bit more difficuilt, but not impossible. Hang on for about 10 more minutes :)
     
    J.D., Mar 25, 2005 IP
  6. J.D.

    J.D. Peon

    Messages:
    1,198
    Likes Received:
    65
    Best Answers:
    0
    Trophy Points:
    0
    #6
    Ok, go ahead and click on the link in the attached document.

    J.D.
     
    J.D., Mar 25, 2005 IP
  7. J.D.

    J.D. Peon

    Messages:
    1,198
    Likes Received:
    65
    Best Answers:
    0
    Trophy Points:
    0
    #7
    I'm about to remove the demo attachment, but so that everybody knows, quoting quotes doesn't help much in case of XSS attacks, despite to what some people believe. What I was able to achieve with very little effort is to stick an iframe on the target page with somebody else's website showing in the frame. With a little bit of work, it would be possible to replace the entire page with arbitrary content (e.g. a mock-up page that is served off the attacker's website and gathers passwords).

    Make sure you use some encoding function when echoing back the input. If your output is HTML (e.g. form inputs), use htmlspecialchars. If you are outputting URLs (e.g. links), use rawurlencode. In case of known input (e.g. user names, phone, emails, etc), validate the input - regular expressions are particularly good for this.

    J.D.
     
    J.D., Mar 25, 2005 IP
  8. nohaber

    nohaber Well-Known Member

    Messages:
    276
    Likes Received:
    18
    Best Answers:
    0
    Trophy Points:
    138
    #8
    I like clean designs but for a futurology site, you probably need sth more "futuristic".
     
    nohaber, Mar 25, 2005 IP