- Recent
- Popular
- Tags (1)
- Subscribers (29)
- Django File UploadsJuly 1
- Django File Uploads (via). Nearly two years in the making, Django’s file upload capacity has received a major (and backwards incompatible) upgrade. Previously, files were uploaded by default in to RAM—now, files larger than 2.5MB are streamed to a temporary and extensive hooks are provided to customise where they end up—streaming to S3, for example.
- Evil GIFs: Partial Same Origin Bypass with Hybrid FilesJuly 1
- Evil GIFs: Partial Same Origin Bypass with Hybrid Files. First there were PNGs that had crossdomain.xml files embedded in them, now there are GIFs that contain Java applets (as JAR files). At this point I???d say don???t even bother trying to validate uploaded files, just make sure they???re served off an entirely different domain instead where XSS doesn???t matter.
- Javascript protocol fuzz resultsJune 30
- Javascript protocol fuzz results. If your HTML sanitizer uses blacklisting rather than whitelisting here are a few more weird ways of injecting javascript: in to a link that you need to worry about—but you should really switch to whitelisting http:// and https:// instead.
- BBC iPlayer BetaJune 28
- BBC iPlayer Beta. Preview of the new version of the iPlayer. Nice to be able to listen to Radio programmes in the same interface as TV without having to use the cramped popup window.
- Module Pattern Provides No Privacy... at least not in JavaScript(TM)June 27
- Module Pattern Provides No Privacy... at least not in JavaScript(TM) (via). JavaScript variables hidden inside a closure aren’t as hidden as I thought—it turns out you can pass a closure as the second argument to eval (at least in Firefox) and “steal” private variables back out of it.