Web Application Gotchas: Never trust input
▁ nov 19 2007
Repeat after me: never trust input in web applications. Never ever. Don’t trust input in GET requests. Don’t trust input in POST requests. Just don’t do it.
“Oh, but that’s ok,” you think, “I always check data that the user inputs.” But no, that’s not enough! Any data that is recieved by the web application has to be checked before you use it…
That, or … Kill everyone that attempts XSS attacks. Why can’t people just use the #@!±?% web applications as they were intended to be used?!
sigh
Update: this goes for HTTP headers as well, btw. Don’t trust them! It’s not difficult to forge them.