Re: Preventing cross site scripting

["Tim Greer" <chatmaster () charter net>]

----- Original Message -----
From: "Jeremiah Grossman" <jeremiah () whitehatsec com>
To: "Mutallip Ablimit" <mutax () insi co jp>
Cc: <webappsec () securityfocus com>
Sent: Thursday, June 19, 2003 7:44 PM
Subject: RE: Preventing cross site scripting


> This post reminded me of another potential gotcha in HTML/JS filtering.
> All filtering activities should actually replace data with something,
> not just remove the data altogether.
>
> Example, the following input string:
>
> <BAD<BADTAG>TAG></BAD</BADTAG>TAG>
>
> would result in the following if a remove system were in place:
>
> <BADTAG></BADTAG>
>
> Which could be harmful if rendered.
> However, if the tag were to be replaced:
>
> <BAD<X>TAG></BAD</X>TAG>
>
> We get a tad more html rendering safety.
>
>
> this filtering stuff gets fun eh.


Which is why you simply don't (for simple logic reasons alone) allow and
render any HTML tag that would have a starting or ending HTML tag *within
it*.
--
Regards,
Tim Greer  chatmaster () charter net
Server administration, security, programming, consulting.