HTML and CSS Reference
Using the eval function
external source over which you don't have 100 percent control.
iFrames open up a new opportunity to attackers. Search engines provide a plethora of results
dealing with exploits regarding the use of iFrames. The sandbox attribute should always
be used to restrict what data can be placed into an iFrame. The sandbox attribute has four
possible values, as listed in Table 3-2.
TABLE 3-2 Available sandbox attribute values
An empty string applies all restrictions. This is the most secure.
iFrame content is treated as being from the same origin as the containing
iFrame content can load content from the containing HTML document.
iFrame can submit forms.
iFrame can run script.
Encoding input data
In this thought experiment, apply what you've learned about this objective. You can
find answers to these questions in the “Answers” section at the end of this chapter.
The primary way in which malicious users seek out vulnerabilities in your webpages
is through the use of code injections. These are used to find weaknesses in the code
where malicious users could trick legitimate users into redirecting to a malicious
site or—worse—steal private data. What additional strategies can you design into
your webpages to help prevent these types of attacks?
■ Regular expressions are strings of special characters that an interpreter understands
and uses to validate text format.