WebApp Sec mailing list archives
Re: Preventing cross site scripting
From: "Tim Greer" <chatmaster () charter net>
Date: Thu, 19 Jun 2003 19:47:25 -0700
----- Original Message ----- From: "Alex Lambert" <alambert () quickfire org> To: "David Cameron" <dcameron () itis-now com>; "Andrew Beverley" <mail () andybev com>; <webappsec () securityfocus com> Sent: Thursday, June 19, 2003 7:13 PM Subject: Re: Preventing cross site scripting
What about onClick (etc) attributes? i.e. <img src="good.gif*" onMouseOver="evil();">
Onclick, onmouse, etc. don't do any good to the person trying them, if you don't allow double quotes and single quotes, etc. within an anchor, image/sr. type tag. Such as (as again, converting all tags first and then putting them back together): s/<\s*img\s+sr.\s*=\s*['"](https?:\/\/)?(\w@:\w+.){1,}\.\w{2,4}(/\w.\/\?\ $)*\s*?$gt;/... and so on... It will not allow anything to work that you don't allow in the sr. tag. Again, just an example, not a working regez or complete. This is the entire point--not to guess about "well, what if someone...", because you know 'exactly' what they are able to do... -- Regards, Tim Greer chatmaster () charter net Server administration, security, programming, consulting.
Current thread:
- Re: Preventing cross site scripting, (continued)
- Message not available
- Re: Preventing cross site scripting Tim Greer (Jun 21)
- Re: Preventing cross site scripting Laurian Gridinoc (Jun 21)
- Re: Preventing cross site scripting Tim Greer (Jun 21)
- Re: Preventing cross site scripting Tim Greer (Jun 20)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- Re: Preventing cross site scripting Alex Lambert (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- RE: Preventing cross site scripting Mutallip Ablimit (Jun 19)
- RE: Preventing cross site scripting Jeremiah Grossman (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 20)
- RE: Preventing cross site scripting Mutellip Ablimit (Jun 20)