WebApp Sec mailing list archives
Re: Preventing cross site scripting
From: "Tim Greer" <chatmaster () charter net>
Date: Thu, 19 Jun 2003 19:51:11 -0700
----- Original Message ----- From: "Jeremiah Grossman" <jeremiah () whitehatsec com> To: "Mutallip Ablimit" <mutax () insi co jp> Cc: <webappsec () securityfocus com> Sent: Thursday, June 19, 2003 7:44 PM Subject: RE: Preventing cross site scripting
This post reminded me of another potential gotcha in HTML/JS filtering. All filtering activities should actually replace data with something, not just remove the data altogether. Example, the following input string: <BAD<BADTAG>TAG></BAD</BADTAG>TAG> would result in the following if a remove system were in place: <BADTAG></BADTAG> Which could be harmful if rendered. However, if the tag were to be replaced: <BAD<X>TAG></BAD</X>TAG> We get a tad more html rendering safety. this filtering stuff gets fun eh.
Which is why you simply don't (for simple logic reasons alone) allow and render any HTML tag that would have a starting or ending HTML tag *within it*. -- Regards, Tim Greer chatmaster () charter net Server administration, security, programming, consulting.
Current thread:
- Re: Preventing cross site scripting, (continued)
- Re: Preventing cross site scripting Tim Greer (Jun 20)
- Re: Preventing cross site scripting Matt Rohrer (Jun 20)
- Re: Preventing cross site scripting Andrew Beverley (Jun 24)
- Preventing cross site scripting Andrew Beverley (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- RE: Preventing cross site scripting David Cameron (Jun 19)
- Re: Preventing cross site scripting Alex Lambert (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- RE: Preventing cross site scripting Mutallip Ablimit (Jun 19)
- RE: Preventing cross site scripting Jeremiah Grossman (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- Re: Preventing cross site scripting Alex Lambert (Jun 19)
- Re: Preventing cross site scripting Bob Lee (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- RE: Preventing cross site scripting David Cameron (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- RE: Preventing cross site scripting Jeremiah Grossman (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 20)
- RE: Preventing cross site scripting Mutellip Ablimit (Jun 20)
- Re: Preventing cross site scripting Tim Greer (Jun 20)
- Re: Preventing cross site scripting Tim Greer (Jun 20)