back to article Salesforce plugs silly website XSS hole, hopes nobody spotted it

A cross-site scripting (XSS) vulnerability on Salesforce's website might have been abused to pimp phishing attacks or hijack user accounts. Fortunately the bug has been resolved, apparently before it caused any harm. Cloud app and security firm Elastica said the issue affected a Salesforce sub-domain – admin.salesforce.com …

  1. artbristol

    Input sanitization can only ever be a defence-in-depth measure. It cannot protect 100% against injection attacks (though you should sanitize anyway.)

    The correct approach is to escape your outputs when mixing text into markup/SQL/whatever.

  2. Pascal Monett Silver badge
    Thumb Up

    Good on them

    It's nice to see a company being proactive about security, although it is unfortunate to note that the issue stems from the fact that not all sub-domains were created with the same attention to security in the first place.

    But hey, no harm, no foul.

  3. Luiz Abdala
    FAIL

    My Kid's name is DROP TABLES

    Now, where was that anecdote? I can't find it anymore.

    Oh yes...

    https://xkcd.com/327/

    1. Michael Wojcik Silver badge

      Re: My Kid's name is DROP TABLES

      That'd be a bit more clever if 1) this issue was in any way related to SQL injection, and 2) everyone on the entire planet wasn't already familiar with xkcd #327. There are tribes in remote regions of Papua who have never seen a computer, but nonetheless have seen crude1 hand-drawn versions of the tale of Little Bobby Tables.

      But, really, the former item is the key one. XSS is not SQL injection, and no one is served by confusing the two.

      1As opposed to Randall's exquisitely minimalist renditions, of course.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like