WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Preventing cross site scripting

From: "Alex Lambert" <alambert () quickfire org>
Date: Thu, 19 Jun 2003 21:13:38 -0500
What about onClick (etc) attributes? i.e. <img src="good.gif*"
onMouseOver="evil();">

JavaScript entities are rare but dangerous. See Gobbles's unoriginal
advisory at
http://cert.uni-stuttgart.de/archive/bugtraq/2002/05/msg00096.html

Whitelisting is preferable to blacklisting. Allow through only what is
needed.

There was a similar question posted last year;
http://www.securityfocus.com/archive/107/269374/2003-06-17/2003-06-23/1

Hope this helps! :)



Alex Lambert



* expires tomorrow, whee! http://burnallgifs.org/

----- Original Message -----
From: "David Cameron" <dcameron () itis-now com>
To: "Andrew Beverley" <mail () andybev com>; <webappsec () securityfocus com>
Sent: Thursday, June 19, 2003 8:50 PM
Subject: RE: Preventing cross site scripting


Create a list of unacceptable tags in an array (eg applet, embed), loop
through the array and generate a regexpr based on the array, something of
the form:
<(applet)|(embed).?> and replace all instances with "".

Do the same for any possible closing tags ie:
</(applet)|(embed)> and replace all instances with "".

BTW the RegExpr may be wrong, I'm not all that hot on RegExprs, but you get
the idea.

regards
David Cameron
nOw.b2b
dcameron () itis-now com
Previous By Date Next
Previous By Thread Next

Current thread: