Why you should be using a proper HTML sanitization library

The idea that it’s easy to protect your web app from XSS seems to be floating around the interwebz. I’ve seen a whole bunch of “tutorials” saying stuff like “just use htmlencode()” etc.

If you’re building web applications, even small ones, do yourself a favor and use a proper html sanitization library. I hear good things about HTMLPurifier (PHP) and Sanitize (Ruby); there probably is a library for most other languages as well. I don’t dare to recommend anything specific so you’ll need to do some research, but it will be time well spent. And if you’re using a framework or CMS, use the sanitization functions they provide.

Continue reading

Facebook is actually useful, sometimes

I worked at Mäksa parish administration for a couple of months this summer. I was in charge of managing the networks & computers of the administration, plus a small school and a library (’tis a really small parish, like most of them in Estonia are). The last IT guy quit overnight without saying goodbye, or telling anyone the current server and network passwords.

And so it came to be that on a sunny day in August, the server hard dive ran out of space, and I (still) didn’t have the root password. So I called the ex-IT-guy, but he didn’t pick up his phone.

I kept calling him for the whole morning. Nothing.

Oh well, I thought, he’s probably really busy with his new job. Maybe he’ll call back later.

But then, in a sudden flash of insight, I looked him up on Facebook and sent him a message.

Got a reply exactly 11 minutes later.