What is XSS?
- Using unsanitized, untrusted data to change page layout or execute
- Query strings
- POSTed form variables
d(Ajax)/dt > 0 => d(XSS)/dt > 0
- Interactivity, scripting make XSS more likely
- Still, some safety through techniques like tainting
Facebook goes one better
- Running user code is a feature, not a bug!
- It's not a (completely) domain-specific language
This is Facebook application code!
Preventing XSS: goals of sandboxing
- Preventing executing arbitrary code
- Preventing direct access to native objects
- Preventing direct access to the global object
(Goals initially stated by Neil
Mix in a blog post)