Bugtraq mailing list archives
Re: Cross site scripting: a long term fix
From: "Dmitry Yu. Bolkhovityanov" <D.Yu.Bolkhovityanov () INP NSK SU>
Date: Tue, 10 Oct 2000 13:46:11 +0700
On 8 Oct 00 at 17:15, dleblanc () MINDSPRING COM wrote:
2.2. Adding the count of bytes in the text.<text bytes='3'>ABC</text bytes='3'> <text bytes='3'>ABC</text>This works even better when tags are generated by a program. Counting bytes is a cheap operation.I like this better. Server gets n bytes from client, escapes out all of them. I can't think of a way around this just at the moment.
There is a small problem: if this resulting HTML code gets transcoded to/from UTF8, the "bytes" value will become wrong. And this conversion can happen in a proxy (which should *not* interpret each and every tag). UTF8 is probably not the only "problem-raising" encoding -- various CJK- related schemes come to mind. BTW, what the "bytes=" should mean -- bytes or characters? ___________________________________________________________________ Dmitry Yu. Bolkhovityanov | Novosibirsk, RUSSIA phone (383-2)-39-49-56 | The Budker Institute of Nuclear Physics | Lab. 5-13
Current thread:
- Cross site scripting: a long term fix Zag Zig (Oct 08)
- Re: Cross site scripting: a long term fix Gunther Birznieks (Oct 09)
- Re: Cross site scripting: a long term fix Cooper (Oct 09)
- Re: Cross site scripting: a long term fix David LeBlanc (Oct 09)
- Re: Cross site scripting: a long term fix Tollef Fog Heen (Oct 09)
- Re: Cross site scripting: a long term fix Erik Peterson (Oct 10)
- <Possible follow-ups>
- Re: Cross site scripting: a long term fix Michael Wojcik (Oct 10)
- Big Brother Systems and Network Monitor vulnerability Robert-Andre Croteau (Oct 10)
- Re: Cross site scripting: a long term fix Dmitry Yu. Bolkhovityanov (Oct 10)
- Re: Cross site scripting: a long term fix David M Chess/Watson/IBM (Oct 10)
- Re: Cross site scripting: a long term fix Doug Winter (Oct 11)