I can write most any kind of software and usually do it pretty well. But there are times when it's better to let somebody else do the dirty work. In this case it's so-called Cross Site Scripting or XSS. For a community site such as this it's a nightmare - but one which refuses to go away.

In simple terms, it's Javascript injection. If you can get code onto a page, somebody will execute it by visiting that page, and one can exploit the fact that somebody is running their code. These exploits can range from minor infractions to serious felonies, and you can stick the code most anywhere that you can type something and have it show on a web page.

I had several regex's setup to stop XSS and still allow HTML authoring, but it turns out that the browsers have too many holes to plug with a few regex's. The XSS hack which took down myspace.com was instigated by putting javascript code into a stylesheet and breaking up the word jav a sc r ipt. Internet Explorer gladly packed it back together and ran the code. IE will also execute the same code written in hexadecimal. You can't keep writing regex's to stop all this stuff. Regex's aren't the correct tool for the job (they are part of the solution, but not the total solution). At some point it requires an HTML parser to take the 'bad' HTML one character at a time, and rebuild it into good HTML.

There are four possible solutions: 

1. Ignore the problem and hope it goes away. It won't.
   
2. Do away with HTML authoring completely and either force everybody to learn another tag system or just force everybody to use plain text.
3. Write an HTML language parser to rebuild the code based on every historical variation of HTML which might be encountered. 
4. Let somebody else write this parser.

I hate writing parsers, and in this case the task is to write a parser which duplicates the code flow of the most horrifically buggy web browsers. 

So I went with number 4...

PS> I found one developer website which seriously recommends using 'strip_tags' in PHP to make your site safe from XSS attacks. It won't, because strip_tags doesn't recurse. One can embed tags within tags and blow right through it. They should be shot. If you'd like to have a look at the number of ways that hackers can blow through your security, visit http://ha.ckers.org/xss.html

Seems like everybody is upgrading right now. First off is netscape.com - you can see the new version currently at beta.netscape.com. What's notable is article voting and avatars. Gee, where have I seen those before? One big issue I've found is that when you load an article from the original article site, it's displayed with a sidebar - and the sidebar messes up the formatting of the original page in a big way. Oh well, it's on somebody's bug list. Not mine. 

Then I see a newsflash that the Opera web browser is still alive - and just released version 9. I had a look - and by golly, it's a real web browser, unlike some of the older Opera incarnations. It does most of the stuff that IE and Firefox do, and in some cases a little bit more. Sigh - what it means for web developers is that they'll have to test with yet another browser to make sure everything works. On the bright side, it looks like my websites render just fine. I haven't yet verified that my AJAX stuff works on Opera - that's where things are most likely to get sticky.

I also notice that they do transparent PNG's - which means I can enable image drop shadows on Opera, but I'm in a quandary there. The load time for the drop shadow images is starting to bug me. Barksdale Rule #2 is "don't play with dead snakes" and this one is long deceased, but playing with it isn't what I had in mind. I'm thinking it needs killing all over again. 

While I'm looking at web browsers, I decide to have a look at the (yawn) documentation for Internet Explorer 7. An integrated search bar, tabs, RSS feeds. Put me to sleep already! But I have to laugh at the section entitled 'Security'...

Peace of Mind
And while you browse the web, Internet Explorer 7 automatically monitors your computer to protect you from unwanted and malicious programs that can be installed on your system as a result of surfing the web.

Uhm, pardon me... but...

Why can unwanted and malicious programs be installed on my computer as a result of surfing the web? Instead of protecting me from these evil programs that have been installed on my computer, why not fix the bugs that allow this to happen?