"That's JavaScript code! I'm gonna run that!" Gotta love the childlike enthusiasm of this personification of web browsers.

That's Javascript! I'm gonna run that!!! -Quote of the year.

now, should we keep that end graphic? :)

There's a comment in a Javascript project I worked on that says: [bunch of checks for user input] //You know, if the users could just be more considerate //I wouldn't have to do any of this.

The guy who found the Facebook vulnerability was actually rudely rejected by Facebook and got his well deserved money as donations!

why in the world are you doing this in a hotel lobby?

I love Tom Scott's enthusiasm for this stuff!

*-html styling does not work in youtube comments. believe me-*

I love these videos because they explain how people have broken into webpages to re-write them, steal info, etc. You always hear how vulnerable stuff can be but never the specifics about how people get in. Great videos as usual, Brady!

"Which is not entiiiirely legal under the computer misuse act, but no one pressed charges" I didn't know he was such a rebel XD

Another cool thing for input dropdowns, is changing the value of one of the s in the , and then submitting. Especially if the output does something with the value of the dropdown, for example with an age input where the output has control over the date format, it completely screws up. Example: I change my birthday to "Cake Pie 1000BC". That will, on a lot of sites with profiles that use this dropdown system for birthdays, completely break the thing when it's trying to convert the month number for example to the month name, since there is no "Pie"th month in the year. It's quite harmless, unless the site actually displays the thing you entered in the input directly on the page, in which case you might indeed be able to insert a script tag. PS: I've managed to cause my profile to completely break by doing this on a site once, after which it just gave me back an error 500. Great fun. I decided to change it back afterwards though. (keep in mind that if your birthday is loaded onto your settings page too, you might also get an error on the settings page, and you won't be able to change it back)

In a very dark place that wouldn't let us use a light! - its the Renaissance Hotel at St Pancras, London >Sean

I didn't understand a single word of what that guy just said but he's super engaging and the 8 minutes flew by.

I love this guys enthusiasm when explaining. Makes it more interesting.

*Apparently HTML Works in KZbin Comments, judging by the large amount of bold comments* Can I put bootstrap into my comments to make them look pretty?

"Cross site scripting is the number one vulnerability on the web today" me watching in 2023: hmmmm, sounds legit...

This man has a lot of energy and enthusiasm for this topic.

The ending doesn't have a dash because you are supposed to binge the next 20 computerphile videos after it...

Tom Scott is definitely my new favorite, especially considering all of Brady's other channels have slowed down. Tom is making a very good showing. Keep it up.

I would just like to thank who ever's idea it was to do the Audible promotion because audio books are expensive and getting a free one was a really nice gesture.

Tom explains this in 8 mins better than my Network security professor in an entire lecture

2:35 I've never seen a JavaScript code that looks like "i+i=2", it looks more like an equation :D

So Wikipedia describes him as a comedian to which I agree, but... Does he have a Masters in computer science or a title alike? He's got an amazing skill to explain complex stuff!

This video just helped me notice an XSS vulnerability on one of my sites. Thank you. :|

Tom Scott is really good at explaining things and I LOVE the concepts he explains. More from Mr. Scott? :3

12 years later, I find this video, Tom Scott thanks for the information and your enthusiasm)

I like the dark lighting. Makes it feel more laid back and down to earth :D

XSS is even more dangerous when coupled with Cross-site Request Forgery (CSRF). A video on CSRF would probably be a nice follow-up to this.

Great video. I wish I had been taught at school by someone speaking passionately about their subjects like he does!

Defiantly the most ecstatic video you've done, really entertaining, whilst also quite educational.

*bold* _slant_ -strike- *_-Magic-_*

He's so funny yet so informative. More of this guy!

Ah yes, Bobby Tables. Definitely one of the more amusing tech jokes I've come across, still gets a good chuckle from me every time I read it. :)

Between the SQL holes video and this one, I sure am glad that Tom Scott is on our side.

I'm a BS Physics student(first year) I really want to learn more about Cyber Security, I want to shift but I would waste my scholarship so yeah I'm watching your videos...Thank you!

Client side filtering is a good idea because it can make it easier on the legitimate user. E.g. tell them the phone number is invalid before they hit submit, saving them time. But client side prefiltering does not add any additional security. All inputs must be fully validated at the server. There is no guarantee that an attacker will be using a polite client that follows your prefiltering rules. An attacker can download the page and remove the rules.

The content of this video is true, however, none of it is about cross-site scripting.

Absolutely! I adore how he speaks so strongly about these things, his rhetorical skills are very well-developed and he's a joy to listen to.

I like the darkness, it adds to the atmosphere, and (at least I can) still see everything just fine...

Computerphile always has the best explanations!

The passion and enthousiasm is great ! More please :)

I liked the little touch of you guys putting the / in the closing tag at the end of the show.

I love this guy. He really seems to love what he's doing.

This channel makes me feel like a numberphile from another dimension has crashed into ours

"Someone *at Netscape* comes along and invents JavaScript!"

Watching this in 2022 and this still feels so relevant.

You have ruined my internet searching for life. Not every time I see a user input box i need to put in code xD

Please, talk this guy into having his own channel, or make more videos with him, he is awesome!

The white balancing in this video confuses me.

4:03 "Because myspace hadn't quite filtered javascript properly". Brilliant!

wut wut

Its worth mentioning (and possibly a future video topic) that even if your website's forms are supposedly "secure" anybody can make a form on their own site that submits to yours. No matter what make sure ALL input processed by your website is properly escaped.

This is amazing! That guy should have more videos!

Excellent video! I learned a lot and the enthusiasm of the speaker made it even more exciting!

Tom “You should know this” Scott

"Just send Rick Astley instead". World's most DANGEROUS HACKER.

Great video! More please :) Also, love his impression of a web browser at 5:33 :)

The best and simplest explanation ever in XSS :)

5:33 My favourite moment in this entire video.

Short answer is complexity. In some cases there are automatic filters, but it isn't always clear to each system which input is trusted and which isn't. MySQL, for example, doesn't know whether it's talking to an administrator sending handwritten commands, or the web app itself. Parts of your 'site' may include 3rd-party JavaScript pulled from advertisers, or analytics, or a database. There might be a WYSIWYG editor on your site that allows users to mark up their comments with HTML, etc...

Omegle had that same problem for a bit when they introduced Spy Mode. They weren't sanitizing their question inputs, so for a while I would go around sticking JS in there that froze the computers of whoever got stuck with my question XD They fixed it in a few days, though.

Make more of these type of videos! They are very interesting and incredibly informative.

"Someone comes along and invents JavaScript." It would be nice if you gave him credit. It was Brendan Eich.

Another great explanation fulfilled by highly understandable and educated content!

"That is Javascript code I'm gonna run that!" love it!

Now that I come to think of it, the closing tag </computerphile> at the end of each video makes total sense. Just never thought of it, I guess it wasn't important enough to notice.

Its funny how many people are actually trying to do XSS on KZbin just because they saw a video explaining about it xD

My god...Tom Scott is GOAT

The camera sways so much, I thought it was a ferry. :D

This guy is so enthusiastic. Love it!

5:58 not TECHNICALLY ENTIRELY LEGAL

They are two different tags. b is for text that is supposed to be bold, but not for styling reasons. strong is for text that is supposed to be styled in a way that makes it more prominent than the rest of the text.

That is JavaScript! I'm gonna RUN that!

That end graphic is really clever and I like it.

Where did you even get dot matrix printer paper?

It's important to note that when you have a user input you should check that the data he is sending should only contain the correct text in a certain context. I'm not talking about scripting to deface some web, but whatever a user can put in your site and be seen by other people, could be used to fraud them. E.g. your user's can create sub users, and each user has a balance. One user could trick to other people to pay them to deposit them more credit on their accounts, then they would put on the new user's username something like "User1 $10.00" and the victim would think "Oh! I got the credit!", then the fraudster could flee with their money. Field Context: Username Web Context: Each user has a balance and certain users can create users. Enforced Limitations: User names shouldn't have currency signs

"Thats Javascript code! I'm going to run that! " hahaha that was hilarious

You're right that it's not on the server, but you can certainly use this technique to change things there: If I can have the site display my script within your browser session, I can take over your account. That means, deleting your inbox, transferring your money, etc. It all happens through the "front door" as far as the server knows, but it's being done through a hijacked session.

*_GUYS IT WORKS!_*

One example would be WebKit only partially making use of the "min-" & "max-height" and "-width" properties. If you want more examples check the Wiki page "Comparison of layout engines (CSS)"

"That's a JavaScript code! I'm gonna run that!!!"

That's probably more because it's more user-friendly. You can't control what the user sends to the server by using specific controls. As a visitor, you can actually change a page's appearance. For example, in Google Chrome, right click the KZbin search bar, go to element inspection, right click the highlighted line in the bottom section and add an attribute type="number". It will change into a number input. You can do something like this to a dropdown and make it a text input instead.

don't understand how this could be dangerous.For example anyone can click inspect element and type some text into their web browser and change a COPY of the page they're looking at no one else will ever use that copy you have changed.In this same manner, how would me writing a script inside of my copy of a webpage effect someone else's copy?

So how on earth could you use javascript to make a webpage send users info to your pc if it only affects you?

"never trust user input" This should have been this video's conclusion! =)

Wow, I was literally about to send a request for a video on this, I have to do an assignment on this for college, Thank you!

This reminds me of Bobby Tables.

I want these guys to talk about what the hell we experienced on the internet with 2020

So if I typed *and closed it with* , youtube will make it bold?

Yeah, I phrased it badly, I meant to say that validation/filtering server side is 100% essential for any input. Client side validation is more of a latency thing for the client, since the person won't need to wait for it to come back invalid (saves server load as well).

So you are basically adding scripts in input boxes where the designers never intended you to be able to do that, just like xml injection, but with javascript. Why is it called cross site scripting then? there is only one site involved in this process right? for me the name implied that you scripted something from one site to another, somehow.

I understand what you mean, but there's a difference between a tag and an actual computer instruction. The tag is just a tag and I think it's more accurate to call it that. I think this inaccuracy can cause confusion in the sense that people might think HTML is a programming language like C++ (which it isn't) because you have "instructions". I hope this clarifies what I mean.

Computerphile can just have a self-closing one:

Yeah, I got your point and I also agree on the confusion that it might cause. But I still think, that they also can be called instructions. The special point about C++ or other "real" programming/scripting languages is, that they have functions. (May it be add(x,y); or "i = x + y; - How the function looks doesn't matter.) It's still a function though, that processes data and not just a lonely instruction. I rather think, that people should be taught the proper destinction between those two.

so basically this is SQL injection but with javascript

Great description of unauthorized Javascript execution but I didn't quite get what was the "cross site" part of this.

should be for a single-tag element, not as most people will suggest, because the latter is the closing tag for a double-tag element.

They aren't doing this to teach us their craft. They are just giving us insight into their trade. Those are two very different things.

The and tags were deprecated loooong before this video was released :(

I really enjoy your videos! Well done!