WebApp Sec mailing list archives
Re: Preventing cross site scripting
From: "Alex Lambert" <alambert () quickfire org>
Date: Thu, 19 Jun 2003 21:13:38 -0500
What about onClick (etc) attributes? i.e. <img src="good.gif*" onMouseOver="evil();"> JavaScript entities are rare but dangerous. See Gobbles's unoriginal advisory at http://cert.uni-stuttgart.de/archive/bugtraq/2002/05/msg00096.html Whitelisting is preferable to blacklisting. Allow through only what is needed. There was a similar question posted last year; http://www.securityfocus.com/archive/107/269374/2003-06-17/2003-06-23/1 Hope this helps! :) Alex Lambert * expires tomorrow, whee! http://burnallgifs.org/ ----- Original Message ----- From: "David Cameron" <dcameron () itis-now com> To: "Andrew Beverley" <mail () andybev com>; <webappsec () securityfocus com> Sent: Thursday, June 19, 2003 8:50 PM Subject: RE: Preventing cross site scripting Create a list of unacceptable tags in an array (eg applet, embed), loop through the array and generate a regexpr based on the array, something of the form: <(applet)|(embed).?> and replace all instances with "". Do the same for any possible closing tags ie: </(applet)|(embed)> and replace all instances with "". BTW the RegExpr may be wrong, I'm not all that hot on RegExprs, but you get the idea. regards David Cameron nOw.b2b dcameron () itis-now com
Current thread:
- Re: Preventing cross site scripting, (continued)
- Re: Preventing cross site scripting Tim Greer (Jun 21)
- Message not available
- Re: Preventing cross site scripting Tim Greer (Jun 21)
- Re: Preventing cross site scripting Laurian Gridinoc (Jun 21)
- Re: Preventing cross site scripting Tim Greer (Jun 21)
- Re: Preventing cross site scripting Tim Greer (Jun 20)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- Re: Preventing cross site scripting Alex Lambert (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- RE: Preventing cross site scripting Mutallip Ablimit (Jun 19)
- RE: Preventing cross site scripting Jeremiah Grossman (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 20)