That's why it's important to check referers to make sure that it's both a valid site and it links to your site.

If you are using Awstats and MT (probably nobody) you can see http://www.estey.com/files/mt-awstats.zip for a little plugin.

is that what happened to jeremy's site?

And always, always HTML encode any dynamically generated content that isn't supposed to be HTML itself. It's really quite a simple concept, but it still tends to be forgotten way too often.

"Statistic pages makes more sense as hardly anyone ever visits their own..."

Huh!!?! My blog is like - the only blog I visit on a daily basis. Even if I know that it hasnt changed.

I dont know what your talkin bout.

::g::

This particular issue is better known as Cross Site Scripting (shortened to XSS). Properly done, it can lead to all sorts of "interesting" issues, where data can be leaked out of a browser. A blog is a handy page to try and "exploit" with the aid these flaws, as it's not necessarily obvious where the real malicious code has come from.

As a general rule, any user input should be validated and sanitised before being used. That's just a sensible precaution.

Áedán has it right, always filter any data you accept from a user. Also referer checking is nice, but it cannot be depended on. It is very easy to spoof since it relys on the clients browser to keep track of the referer. A perl script can be easily whipped up to act as a very simple browser which can post with any referer the programmer wishes to use.

Áedán has it right, always filter any data you accept from a user. Also referer checking is nice, but it cannot be depended on. It is very easy to spoof since it relys on the clients browser to keep track of the referer. A perl script can be easily whipped up to act as a very simple browser which can post with any referer the programmer wishes to use.

hey kasia, have you seen that this post has been referenced on El Reg?

you're famous! (in britain anyway...)

The easiest way is use the striptags function in php. I only allow users to bold, link, and italicize. Keeps it simple. Good job in getting on the register.

Surely all you need to do is strip out the code for top.location.href='http://www.theregister.co.uk/content/55/29396.html'; anglebracket script close anglebracket? or maybe get the form to strip out top.location.href from any script which is input in the comments box?

Surely all you need to do is strip out the code for top.location.href='http://www.theregister.co.uk/content/55/29396.html'; anglebracket script close anglebracket? or maybe get the form to strip out top.location.href from any script which is input in the comments box?

I also went to Mexico, found the people a bit strange but the food was great. Did anyone else see the Monkey directing traffic?

Congrats on the entry at The Register :)

As for the interesting problem, I have thankfully disabled trackbacks on my MT journal (elsewhere), so I don't think I have the problem.

Thanks for letting people know :)

I mentioned this idea about a week ago as well as a few possible routes for poisioning the http referrer field. http://www.stargeek.com

See both of these (in german):

http://www.sns1.de/partner/flamme/wflamme.nsf/Shortcut/XSSAttacke
http://www.sns1.de/partner/flamme/wflamme.nsf/Shortcut/ReferrerTrouble

Wolfgang

To protect your blogs from stupid referrers just disable html in your forms... Period.

no html access no tricky javascripts.

Jessi