progressive thinking

Updates from April, 2009

• 

  Some sites should fear their search boxes

  Andi 09:50 on April 15, 2009 | 3 Permalink | Reply
  

  Half an hour of research has shown that still many websites don’t filter their HTML for potential XSS attacks. I just entered the simple search term “<script>alert(1)</script>” into search boxes of well-known news sites in the USA, UK and Germany. I got 7 results of vulnerable websites. Some of them just include the search term unescaped into the website, others get in trouble when including the term inside embedded JavaScript strings. In the latter case I had to change the term a bit to get the script executed. The following sites are vulnerable:

  • faz.net
  • sat1.de
  • mirror.co.uk
  • newsnow.co.uk
  • thesun.co.uk
  • nydailynews.com
  • kn-online.de

  Should check your code, guys and learn …

   

  Reply Click here to cancel reply.

  Name (required)

  Email (required)

  Web Site

   
• 

  Adapting a Polyline Encoder to PHP

  Andi 10:22 on March 16, 2008 | 4 Permalink | Reply
  

  For a project I need encoded geographical polylines in Google Maps. A geographical polyline can be used to show a route or an area on a map. A polyline is made of several geographical points. Each point is composed of latitude and longitude. Example for a polyline:

  [
  
    // point
    {
      // latitude
      Latitude: 49.75121628642191,
  
      // longitude
      Longitude: 6.6281890869140625
    },
  
    {
      Latitude: 49.76252796566851,
      Longitude: 6.633853912353516
    },
  
    {
      Latitude: 49.757537844205025,
      Longitude: 6.649990081787109
    },
  
    {
      Latitude: 49.749441665946,
      Longitude: 6.642951965332031
    }
  ]
  

  If you load a big bunch of points from your server, this can take a while. The better solution is to encode them to binary format. In a forum I found a dead link to an Google Maps’ encoding algorithm coded in PHP ;(, so I found one implemented in JS and adapted it to PHP. You must take care of one thing: Replacing the JavaScript function String.fromCharCode() by PHP’s chr() will not work, because it does not support unicode. On php.net I found unichar(), which considers unicode. The client side encoder can be tested here. Download the ZIP which includes a PHP class and the whole thing in JavaScript: polyline.zip