WebApp Sec mailing list archives
Re: [Re: AppSec FAQ at OWASP]
From: Sangita Pakala <sangita.pakala () paladion net>
Date: Thu, 29 Jan 2004 22:09:48 +0550
オマル イスマイル <isumai-u () is aist-nara ac jp> wrote:
I would like to know that how you deal with the false positive? In the case of " <img src= "javascript: preview(....)> or <img src="javascript:window.close()>..etc..etc.. If you escape the "(" and ")" that means you render out the harmless Javascript too.
I'm not sure if I've understood the issue, so pls correct me if I'm wrong. You would not escape *every* '<' or '(' in the html page. You would only escape those which come from user-supplied inputs in the first place. I assume that the harmless calls to preview() and window.close() are *not* user supplied inputs, but part of the html page template. So, there shouldn't be false positives escaping '(' and ')' from content that came from user-supplied inputs. Thanks, Sangita.
Current thread:
- Re: [Re: AppSec FAQ at OWASP] Sangita Pakala (Jan 29)
- Re: [Re: AppSec FAQ at OWASP] Omar Ismail (Jan 29)
- <Possible follow-ups>
- Re: [Re: AppSec FAQ at OWASP] Rohyt Belani (Jan 29)
- Re: [Re: AppSec FAQ at OWASP] Philippe P. (Jan 30)
- Re: [Re: AppSec FAQ at OWASP] Philippe Prados (Jan 30)
- Re: [Re: AppSec FAQ at OWASP] Ulf Härnhammar (Jan 30)
- Re: [Re: AppSec FAQ at OWASP] Omarjan Ismail (Jan 29)
- Re: [Re: AppSec FAQ at OWASP] Rohyt Belani (Jan 30)