11.1. Security Considerations
It would be nice to be able to publish Web applications and sites without worrying about them being hacked, but it is not realistic. It's a jungle out there on the Internet, and unless you take serious precautions, your site is bound to become compromised sooner or later.
To make things more challenging, the security of an application is like a chain: it's only as strong as its weakest link. Covering the subject of securing a Web server is well beyond the scope of this book. If you are not familiar with the process, hosting companies and plans are available that will take care of this for you. What they cannot do, though, is guarantee that your application is secure as well. As a developer, application-level security is your responsibility, and this section should help you make more conscious choices in this regard.
11.1.1. Cross-Site Scripting (XSS)
Cross-site scripting (XSS) attacks take advantage of vulnerabilities in a Web application to inject malicious code that will be executed when other users view the page.
To better understand how XSS attacks work, let's take a look at one possible scenario. Assume that you have a blog application that allows comments. If that comment form is vulnerable to XSS attacks, a malicious user could publish a comment that includes JavaScript code. Once the comment is published on the site, every visitor who comes across that page executes the malicious JavaScript code (assuming JavaScript was enabled in their browsers). ...
Get Ruby on Rails® for Microsoft Developers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.