Implementation - continued ......

Security Considerations

Any system being produced has security considerations, no matter how small or seemingly insignificant. The system being produced as part of this project is no exception and has security issues that need consideration before the system can be deemed ‘complete’. The two main considerations to be taken into account are ‘HTML escaping’ and ‘SQL injection’.

HTML escaping: The basics of HTML escaping have already been discussed in the previous section entitled “Further enhancements—Implemented” and so I will not re-iterate what I have already mentioned there. Instead, I will provide a simple, non malicious example, of what can be achieved if user provided input is not escaped or incorrectly HTML escaped.

An example

For our example, our user enters the following text as the body of their news article;

Noel... <script>alert(’Gotcha’);</script>

If our Web page did not HTML escape this input then when a person were to read the posted article, the Javascript within the <script> and </script> HTML tags would be executed and an alert shown. While this example is harmless, it is possible to execute very malicious Javascript in this way such as ‘cookie theft’ and ‘session hijacking’. When HTML escaping is used however, the news article would be displayed as it should be because the HTML tags present would be re-written like so:

Noel... &lt;script&rt;alert(’Gotcha’);&lt;/script&gt;

Meaning that they are now harmless text and not interpreted as HTML by the user’s Web browser.