While trying to use the ‘search’ feature on Digg, I realized that it is vulnerable to Cross Site Scripting (XSS). The search string is echoed back without proper output encoding. Example:
I haven’t checked to see if the comments or new story submission modules are affected – if they are, things could get pretty messy. I have contacted the Digg team about this, lets hope they fix it soon.
Update: They fixed it this morning.
Contact Us | Advertise with Us | Privacy Policy | Press Center | Jobs
Weblog authors are solely responsible for the content and accuracy of their weblogs, including opinions they express,
and O’Reilly Media, Inc., disclaims any and all liability for that content, its accuracy, and opinions it may contain.
This work is licensed under a Creative Commons License.
For problems or assistance with this site, email help@oreillynet.com | (707) 827-7000 / (800) 998-9938
