XSS Me Please

From the Hilton Hotels booking site, while booking for OSCON:

Due to system limitations please do not use the following characters: &, %, < and >.

Oh, so tempting…

Could the title of this post be pronounced “Kiss Me Please”?

2 thoughts on “XSS Me Please

  1. The other day I found out Google’s signup process is even worse. It wouldn’t accept my password because I tried to use non-ASCII symbols.

  2. This happens when the whole thing is put together by somebody who has never done database programming before and doesn’t bother to really learn how to do it properly. He looks up just enough of the documentation to get something that appears to basically work on his first test, and then he doesn’t read any further, so he never finds out about even really basic things like prepared statements and bound parameters. Instead, the dude builds the whole thing on just enough knowledge to write Hello World. In all probability, if you saw a random sample of his source code, it would make you want to take a shower. It’s almost certainly got SQL directly hardcoded all over the place. Very likely any little change to the database schema, such as adding a field to a table, would require hunting down every single place in the code where records are inserted into the table, and changing the hardcoded SQL to insert an extra NULL to accommodate the field.

    It’s a personality trait, wanting to learn as little as possible, just enough to be able to mostly get by. And it is surprisingly common.