WebApp Sec mailing list archives
Re: Preventing cross site scripting
From: Wojciech Purczynski <cliph () isec pl>
Date: Fri, 20 Jun 2003 15:27:05 +0200 (CEST)
To prevent CSS attacks, it is the most simple and trivial thing; Simply parse the input. Change all < and > tags to < and > for text/HTML display of the tag itself without it parsing it. Then, like you stated, and is the most basic approach to security for form input, etc., is to put them back together with *only* the HTML tags you want, such as <br> would then be put back together as a line break tag <br> You can do this easily for almost all HTML tags. For tags that could potentially be used to input things such as anchor tags for images or hot links, etc. simply control what's put back together.
I like your idea. :) However, it would break some HTML pages that already contains some examples of HTML code etc. Perhaps it should be done in three steps: 1. Change all < > to &foolt; and &foogt; corresponding 2. Put back all allowable HTML tags i.e. &foolt;BODY&foogt; (using regex or sth else to filter out unwanted attributes) 3. Change all remaining &foolt; to < and &foogt; to > Cheers, wp -- Wojciech Purczynski iSEC Security Research http://isec.pl/
Current thread:
- Preventing cross site scripting Andrew Beverley (Jun 19)
- Re: Preventing cross site scripting Jeremiah Grossman (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 20)
- Re: Preventing cross site scripting Wojciech Purczynski (Jun 20)
- Re: Preventing cross site scripting Laurian Gridinoc (Jun 20)
- Re: Preventing cross site scripting Tim Greer (Jun 20)
- Re: Preventing cross site scripting Laurian Gridinoc (Jun 20)
- Re: Preventing cross site scripting Tim Greer (Jun 20)
- Re: Preventing cross site scripting Laurian Gridinoc (Jun 21)
- Re: Preventing cross site scripting Tim Greer (Jun 21)
- Message not available
- Re: Preventing cross site scripting Tim Greer (Jun 21)
- Re: Preventing cross site scripting Laurian Gridinoc (Jun 21)
- Re: Preventing cross site scripting Tim Greer (Jun 21)
- Re: Preventing cross site scripting Wojciech Purczynski (Jun 20)
- Re: Preventing cross site scripting Jeremiah Grossman (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 20)