Simple Demonstration
April 15th, 2009
Borepatch has a post up about XSS (cross site scripting). It is an all too commonly allowed loophole that allows script kiddies to do all kinds of things. For a demonstration, that is totally benign, click the comments link.
Edit: Wordpress DOES clean up the input of normal users, while allowing higher level users to create scripts. This is acceptable, assuming no one gets access to your login. Of course, JavaScript injection is probably among the least of your worries if that happens.
Heh.
Alas, many web developers seem to think that input validation is like flossing - a good idea when you’re not in a hurry.
I think a lot depends on the version of Wordpress you use. There were a bunch of vulnerabilities reported last summer:
One nice thing about Blogger is that it’s Software as a Service, so (presumably) the Blogger d00dz update the software regularly. Presumably.
I agree. WordPress is OSS, and has a large community of developers working on it.
It also lets me do whatever I want, and I own the content. The inadvertent blogger shutdown of sites last year kind of scared me off.