security

This post we'll be talking about Cross Site Scripting or XSS and what steps to take to prevent this type of security breach on your Drupal site. Without going into the gory details, XSS allows a malicious user to insert a script into one of your web pages, that can be used to steal other user's identities, craft phishing attacks, and bypass access controls. For more detailed examples of XSS attacks see: http://ha.ckers.org/xss.html.

This will be a multipart series on Drupal security.

The first rule of security on a Drupal site, or any site for that matter, is: "never trust user input." User input can be used to gain access to your database (SQL injection), steal other user's session cookies and impersonate them (Cross-Site Scripting or XSS), inject unwanted spam into your pages, or to execute code (gasp shudder) on your server.