now, should we keep that end graphic? :)

That's Javascript! I'm gonna run that!!! -Quote of the year.

"That's JavaScript code! I'm gonna run that!" Gotta love the childlike enthusiasm of this personification of web browsers.

*-html styling does not work in youtube comments. believe me-*

why in the world are you doing this in a hotel lobby?

There's a comment in a Javascript project I worked on that says: [bunch of checks for user input] //You know, if the users could just be more considerate //I wouldn't have to do any of this.

The guy who found the Facebook vulnerability was actually rudely rejected by Facebook and got his well deserved money as donations!

I love Tom Scott's enthusiasm for this stuff!

*Apparently HTML Works in KZbin Comments, judging by the large amount of bold comments* Can I put bootstrap into my comments to make them look pretty?

In a very dark place that wouldn't let us use a light! - its the Renaissance Hotel at St Pancras, London >Sean

"Which is not entiiiirely legal under the computer misuse act, but no one pressed charges" I didn't know he was such a rebel XD

"Cross site scripting is the number one vulnerability on the web today" me watching in 2023: hmmmm, sounds legit...

*bold* _slant_ -strike- *_-Magic-_*

The content of this video is true, however, none of it is about cross-site scripting.

Another cool thing for input dropdowns, is changing the value of one of the s in the , and then submitting. Especially if the output does something with the value of the dropdown, for example with an age input where the output has control over the date format, it completely screws up. Example: I change my birthday to "Cake Pie 1000BC". That will, on a lot of sites with profiles that use this dropdown system for birthdays, completely break the thing when it's trying to convert the month number for example to the month name, since there is no "Pie"th month in the year. It's quite harmless, unless the site actually displays the thing you entered in the input directly on the page, in which case you might indeed be able to insert a script tag. PS: I've managed to cause my profile to completely break by doing this on a site once, after which it just gave me back an error 500. Great fun. I decided to change it back afterwards though. (keep in mind that if your birthday is loaded onto your settings page too, you might also get an error on the settings page, and you won't be able to change it back)

This video just helped me notice an XSS vulnerability on one of my sites. Thank you. :|

wut wut

2:35 I've never seen a JavaScript code that looks like "i+i=2", it looks more like an equation :D

I love this guys enthusiasm when explaining. Makes it more interesting.

I love these videos because they explain how people have broken into webpages to re-write them, steal info, etc. You always hear how vulnerable stuff can be but never the specifics about how people get in. Great videos as usual, Brady!

The white balancing in this video confuses me.

alert("hi");

test

So Wikipedia describes him as a comedian to which I agree, but... Does he have a Masters in computer science or a title alike? He's got an amazing skill to explain complex stuff!

The ending doesn't have a dash because you are supposed to binge the next 20 computerphile videos after it...

So how on earth could you use javascript to make a webpage send users info to your pc if it only affects you?

I fucking love this guy!

I didn't understand a single word of what that guy just said but he's super engaging and the 8 minutes flew by.

Great video. I wish I had been taught at school by someone speaking passionately about their subjects like he does!

Omegle had that same problem for a bit when they introduced Spy Mode. They weren't sanitizing their question inputs, so for a while I would go around sticking JS in there that froze the computers of whoever got stuck with my question XD They fixed it in a few days, though.

Tom Scott is really good at explaining things and I LOVE the concepts he explains. More from Mr. Scott? :3

Pfft... ? You should use instead.

Client side filtering is a good idea because it can make it easier on the legitimate user. E.g. tell them the phone number is invalid before they hit submit, saving them time. But client side prefiltering does not add any additional security. All inputs must be fully validated at the server. There is no guarantee that an attacker will be using a polite client that follows your prefiltering rules. An attacker can download the page and remove the rules.

So if I typed *and closed it with* , youtube will make it bold?

so basically this is SQL injection but with javascript

I'm a BS Physics student(first year) I really want to learn more about Cyber Security, I want to shift but I would waste my scholarship so yeah I'm watching your videos...Thank you!

This man has a lot of energy and enthusiasm for this topic.

XSS is even more dangerous when coupled with Cross-site Request Forgery (CSRF). A video on CSRF would probably be a nice follow-up to this.

Ah yes, Bobby Tables. Definitely one of the more amusing tech jokes I've come across, still gets a good chuckle from me every time I read it. :)

Why does HTML use while BBCode use [/]? I'm fairly code illiterate so no big words please @.@

alert("What a Duhhh...???");

I like the dark lighting. Makes it feel more laid back and down to earth :D

You should do Cross-Site Reference Forgery next. Tom is so cute~~

He's so funny yet so informative. More of this guy!

Just trying to see if the bold tag works here

Wheeeeeee

"Someone *at Netscape* comes along and invents JavaScript!"

Its funny how many people are actually trying to do XSS on KZbin just because they saw a video explaining about it xD

*_GUYS IT WORKS!_*

Where did you even get dot matrix printer paper?

That is JavaScript! I'm gonna RUN that!

But how can you influence the web page of others by just modifying script on the page you were sent ? You can modify whatever you want, but when another person will send a request to the site, it will send them back the original page, without any of the modification you applied. Am I wrong ?

5:58 not TECHNICALLY ENTIRELY LEGAL

Test *Test* Test

The and tags were deprecated loooong before this video was released :(

So you are basically adding scripts in input boxes where the designers never intended you to be able to do that, just like xml injection, but with javascript. Why is it called cross site scripting then? there is only one site involved in this process right? for me the name implied that you scripted something from one site to another, somehow.

You have ruined my internet searching for life. Not every time I see a user input box i need to put in code xD

3:55 Just send Rick Astley instead.

"never trust user input" This should have been this video's conclusion! =)

I just accidentally crashed the website of my mothers business. I thought searching for "kast" (dutch for closet) wouldn't do anything...turns out it did, and the site is down Edit: turns out it's only on the wifi that i'm on (I guess it has something to do with IP-adresses?) so that's a relief.

Tom “You should know this” Scott

I saw a video where someone explained how to gain (control) of /root; using this method on the most secure linux systems through a stack buffer overflow (overloading the system memory in a way that lets them right whatever they choose). /root on a systme = god

"Someone comes along and invents JavaScript." It would be nice if you gave him credit. It was Brendan Eich.

Discord forgot about XSS on their new servers page and someone used it to steal accounts 😂

Tom explains this in 8 mins better than my Network security professor in an entire lecture

That's quite bold

Computerphile can just have a self-closing one:

All possible in theory, except that all browsers will not allow you to use javascript to send data from one page to another page or out to another server that's not part of the website you are on. He also said that javascript runs on the server, but in fact it runs locally on your browser. You can hack a browser to allow inter-page and inter-site sending, but then you have to get that browser into the target's machine and make them use it instead of the real one.

I would just like to thank who ever's idea it was to do the Audible promotion because audio books are expensive and getting a free one was a really nice gesture.

Surprisingly, a few years back (2010) KZbin messed up and something similar to that would work...

The passion and enthousiasm is great ! More please :)

This reminds me of Bobby Tables.

should be for a single-tag element, not as most people will suggest, because the latter is the closing tag for a double-tag element.

*_-I'm A Wizard-_*

Great video! More please :) Also, love his impression of a web browser at 5:33 :)

What about the Javascript consoles that almost all browsers have? Why aren't those dangerous?

LOL everyone in the comments apparently don't know that not all textboxes translates your input into pure HTML *sigh*

I don't quite understand this... How come, if I change the javascript on a certain webpage locally, other people can see it? I've never heard of that before - Or are you guys on about sites that don't check values on serverside and just save whatever you post to it?

I like the darkness, it adds to the atmosphere, and (at least I can) still see everything just fine...

Somebody recently got a bunch of money from Google because they found something like this in KZbin that made it possible for people to delete every video on the site.

don't understand how this could be dangerous.For example anyone can click inspect element and type some text into their web browser and change a COPY of the page they're looking at no one else will ever use that copy you have changed.In this same manner, how would me writing a script inside of my copy of a webpage effect someone else's copy?

So let's say I find an exploit, but I decide not to tell the company... Who else can I tell?

Dot Matrix paper for notes!?! Someone's got funding!

i will try to hack the comment section by using script lol!!!

Googled Rick Astley, rick rolled again :/

_All of you guys talking about and ...I'll be over here having fun with my _*__*_ tag!!_

bold text: *test*

that's why i tried breaking things lol

"That is Javascript code I'm gonna run that!" love it!

Doug65536, Please make a video about how one should conduct an XSS attack. Lemmi know when its up. Thanks

alert("hello");

Great description of unauthorized Javascript execution but I didn't quite get what was the "cross site" part of this.

Tom Scott is definitely my new favorite, especially considering all of Brady's other channels have slowed down. Tom is making a very good showing. Keep it up.

4:03 "Because myspace hadn't quite filtered javascript properly". Brilliant!

What the hell? What happened to the white balance between this video and the last?!

" **it works** " "it doesn't work"

Defiantly the most ecstatic video you've done, really entertaining, whilst also quite educational.

The bold, scorethrough and italics formatting of text in the comments isn't due to html. It's using specific symbols youtube has designated for this purpose such as asterixes before and after txt for *BOLD*

I love this guy. He really seems to love what he's doing.

BAD, BAD, TOM. Do not put formatting in your HTML.