XSS vulnerability in week 3

[felixschorer]

Both projects using Google Spreadsheets are vulnerable to Cross Site Scripting (XSS).

[shiffman]

Any suggestions for best / easiest way to fix this?

[felixschorer]

Well, in the case of mad libs you can for example just reject everything with regex which isn't alphanumerical. That would certainly be the easiest and most robust fix.

[felixschorer]

I've also added some entries to the spreadsheets which exploit that XSS vulnerability. My intent was it to inform inexperienced web developers, who are thinking about using your code. It should be easy to test your fix with those entries.

[felixschorer]

And also, thank you very much for taking this so seriously.
I would appreciate it if you could do a video on web security such as XSS or SQL injection attacks.

[misterhtmlcss]

@lgfrbcsgo , why not offer to create a video or text tutorial for Daniel. He seems to allow guests and then it's a win win, since he doesn't have to circle the wagons then for little details that distract from the core learning experience he's creating.

Seems like both a reasonable request and also a great way to get some exposure for yourself in the process.

Just an idea.

[felixschorer]

@misterhtmlcss I like the idea, but the problem is that I lack the experience in teaching. I am a terrible teacher and most of the time have to explain things multiple times to friends when they ask me some fairly basic stuff.
Also no one would like to listen to a terribly English speaking German for an extended period of time.