Somebody tried to hack P5 today

Funny fact; Some guy (or gal) tried to hack my todo-example application a couple of hours ago. The approach was to add a script tag in the Multiline textarea column, which would create an alert JavaScript box. Of course the attempt was unsuccessful. The reasons why he didn’t succeed, is because as I turn Markdown into HTML, I actually run it semantically through a whitelist of legal HTML elements, which is specifically designed to eliminate these types of hacks.

In fact, you can see the hacking attempt for yourself, if you click this link, and try to edit the item, by clicking the pencil button, since I have consciously left the hacking attempt as it was, to illustrate the concept. Now as the item is turned from Markdown into HTML, the script inclusion is explicitly removed, since the script tag is not on my “whitelist” – Hence, although it was a creative attempt, it didn’t succeed. Simply put, because of the entirety of Phosphorus Five, and all of its related apps, are consciously created with extremely “defensive coding”, and such simple script inclusions are definitely high up on my radar in regards to security.

For the record, if you wish to try to hack Phosphorus Five, I would appreciate it if you sent me an email at thomas@gaiasoul.com – If you were somehow to actually succeed. And (of course) explain to me how you managed to do it.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s