Vulnerability Development mailing list archives
Re: CROSS SITE-SCRIPTING Protection with PHP
From: "Sverre H. Huseby" <shh () thathost com>
Date: Mon, 14 Oct 2002 18:06:51 +0200
The new platform could also make it harder for someone to pass bogus data by: * Always removing 0-bytes from input (input is typically URLs and their parameters, POSTed data and HTTP headers (including cookies)). * Force input fetching through some validation function, eg: request.form.getInteger("foo", 0, 100) to have an integer between 0 and 100, rather than request.form.get("foo") and then do proper error handling automatically (abort and log if the parameter was not supposed to be tampered with, redisplay form with an error message if data was supposed to be typed in by a user). * Automatically providing tamper control (eg. message digests) to data that are not supposed to be tampered with. * Automatically checking the length of input where possible. To make everything even more automatic, the system could start with a high level definition of all objects (and possibly all web pages). Given this definition (these definitions), one could automatically generate database tables, type checking code, length cheching code, form input fields and so on. I'm not sure how to do all this, but I'm sure someone will be able to do it. Sverre. -- shh () thathost com Computer Geek? Try my Nerd Quiz http://shh.thathost.com/ http://nerdquiz.thathost.com/
Current thread:
- CROSS SITE-SCRIPTING Protection with PHP Astalavista Baby (Oct 10)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 10)
- Re: CROSS SITE-SCRIPTING Protection with PHP Marvin Simkin (Oct 11)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 12)
- RE: CROSS SITE-SCRIPTING Protection with PHP Rob Shein (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Dan Kaminsky (Oct 14)
- Hashes,File protection,etc Dave Aitel (Oct 14)
- Re: Hashes,File protection,etc Dan Kaminsky (Oct 14)
- Re: Hashes,File protection,etc Dave Aitel (Oct 14)
- /instmsg/alias/annoying_web_logs ;) H D Moore (Oct 15)
- Re: /instmsg/alias/annoying_web_logs ;) zeno (Oct 15)
- Re: /instmsg/alias/annoying_web_logs ;) Dave Aitel (Oct 15)
- Re: /instmsg/alias/annoying_web_logs ;) zeno (Oct 15)
- RE: /instmsg/alias/annoying_web_logs ;) Elan Hasson (Oct 15)
- Re: CROSS SITE-SCRIPTING Protection with PHP Marvin Simkin (Oct 11)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 10)