user", I am pretty freakout about XSS!
I am following the advice per http://www.wilderssecurity.com/showp...8&postcount=38
* Using Noscript gives protection from XSS type 1 and, to a certain extent, from XSS type 2.
This protection tends to zero if you whitelist everything, and tends to infinite if you don't whitelist anything.
* When in doubt, and the site seems to already work fine or the content doesn't appear that valuable, don't whitelist.
* The only reason to drop your doubts is the site owner's reputation being such precious that he would refund any amount for damages you may receive from a XSS (which is your problem, but his fault by definition).
I am following the advice per http://www.wilderssecurity.com/showp...5&postcount=41
But yes, Firekeeper for the known plus NoScript for the unknown sounds like a tough combo
I am following the advice per http://www.wilderssecurity.com/showp...1&postcount=49
Of the many exploitation scenarios, I will list just 3 because I'm lazy today:
1. Social engineering: the fact it works is demonstrated by this very topic, where many people followed my link even if it was not particularly crafted to be believable (it was quite suspect, indeed)
3. Last but not least, if just one precondition among "automatic completion enabled", "user already logged in" or "persistent authentication cookie (AKA Remember me)" is met, the victim doesn't even need to interact with the injected page or follow any link, as all the action can happen silently inside an invisible iframe (embedded either in a porn site, in a bible blog, in a MySpace page -- very very easy!!! -- or in an incoming HTML email message)
"automatic completion enabled", "user already logged in" or "persistent authentication cookie (AKA Remember me)"
I have a request, every once in a while, can you guys please post a "Recap"?
(My current setup is in my signature.)