WebApp Sec mailing list archives
Re: Preventing cross site scripting
From: "Tim Greer" <chatmaster () charter net>
Date: Thu, 19 Jun 2003 21:48:48 -0700
Yes, That would work for some basic tags that are static. Personally, I don't like PHP... far too buggy and far too many security issues over it's time compared to alternatives such as Perl and C, so I'm not up to speed on all the functions to appreciate it's regex's, though it can use Perl regex's, which is very cool (since they are the most versatile!). -- Regards, Tim Greer chatmaster () charter net Server administration, security, programming, consulting. ----- Original Message ----- From: "Mutellip Ablimit" <mutax () insi co jp> To: "Tim Greer" <chatmaster () charter net> Cc: <webappsec () securityfocus com> Sent: Thursday, June 19, 2003 9:40 PM Subject: RE: Preventing cross site scripting
This strip_tags($Text, "<allowed tag>"); will be helpful then. (4php) Regards. ------------ Mutellip Ablimit mutax () insi co jp -----Original Message----- From: Tim Greer [mailto:chatmaster () charter net] Sent: Friday, June 20, 2003 1:03 PM To: Jeremiah Grossman; Mutellip Ablimit Cc: webappsec () securityfocus com Subject: Re: Preventing cross site scripting ----- Original Message ----- From: "Jeremiah Grossman" <jeremiah () whitehatsec com> To: "Mutellip Ablimit" <mutax () insi co jp> Cc: <webappsec () securityfocus com> Sent: Thursday, June 19, 2003 8:00 PM Subject: RE: Preventing cross site scriptingcertainly, this is probably the best practice no matter the method. On Thu, 2003-06-19 at 19:46, Mutellip Ablimit wrote:How about apply a loop operation untill get rid of all <bad tag>s.No, not the best method. This is illogical. You can't "check" for bad
tags.
You can only verify "good" tags. To do otherwise, would be to blindly
accept
tags--there are no other alternatives to that logic If you only enable
good
tags, you have control, and you don't have to check for bad tags--since
you
didn't enable them. otherwise your logic goes into an endless loop and you'll never be able to get past this problem. It will also make it unnecessarily complicated and inefficient, for such a simple task. -- Regards, Tim Greer chatmaster () charter net Server administration, security, programming, consulting.
Current thread:
- RE: Preventing cross site scripting, (continued)
- RE: Preventing cross site scripting Mutallip Ablimit (Jun 19)
- RE: Preventing cross site scripting Jeremiah Grossman (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- RE: Preventing cross site scripting Mutallip Ablimit (Jun 19)
- Re: Preventing cross site scripting Bob Lee (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- RE: Preventing cross site scripting David Cameron (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- RE: Preventing cross site scripting Jeremiah Grossman (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 20)
- RE: Preventing cross site scripting Mutellip Ablimit (Jun 20)
- Re: Preventing cross site scripting Tim Greer (Jun 20)
- Re: Preventing cross site scripting Tim Greer (Jun 20)