Cross Site Scripting is not the same as CSS

In my previous life as a coder, I worked for a while in the DHS Office of the CIO with the accountants. We wrote and managed a website to let the DHS components (Secret Service, CBP, etc) submit their monthly accounting files.

First, some background on building websites. Skip this if you’ve ever built a website. To build a page, all you need is HTML. Think of it like your docx file – your word processor reads a docx file and shows you a pretty document. Your web browser reads an html file and shows you a pretty web page. This is a massive oversimplification but we’re moving on.

One optional thing you can have in your HTML file is CSS. You know how links in pages are blue and underlined most of the time? Let’s say you want them all to be orange. You can add CSS to your HTML page that says “make all the links orange”. It uses different syntax but that’s not important. Now your browser knows to make all the links orange.

Nearly every website you have ever visited uses CSS to make things look pretty. It’s like how nearly every car you’ve ever seen uses paint. It’s POSSIBLE to have a car without paint, but it looks dumb and breaks if it goes through a carwash.

Tesla Cybertruck
A bug stupid truck with no paint

So there’s something else called Cross Site Scripting. This is bad. It’s complicated if you don’t understand it already but all you need to know is that this is one method people use to try and steal your credit card or whatever.

You’ll note that Cross Site Scripting could also be written as CSS. To keep people from getting confused, we use XSS for Cross Site Scripting.

Except DHS IT Security. They use CSS for both, and ban both from all DHS computer systems. Or they did in 2012, I haven’t worked there in a while. But know that this was at least as stupid then as it is now, it’s not a new thing. You would think the agency tasked with protecting US computer systems, among other things, would be knowledgeable about those computer systems.

Leave a Reply

Your email address will not be published. Required fields are marked *