Full Disclosure mailing list archives
Re: logically stopping xss
From: Valdis.Kletnieks () vt edu
Date: Wed, 23 Jul 2003 01:26:24 -0400
On Tue, 22 Jul 2003 23:55:24 EDT, KF <dotslash () snosoft com> said:
SecFilter "<(.|\n)+>"
the JavaScript language can be used on the client side, which should replace the prohibited characters with special tags, e.g. < > " etc.
What's wrong with this picture? :) The basic problem here (going all theoretical) is that there's a very messy intermixing of executable code (javascript) and data (html) going on, forming what's often known as a Von Neuman architecture. If we had a Harvard architecture (where code is code and data is data and never the twain shall meet), we'd have a lot less trouble....
Attachment:
_bin
Description:
Current thread:
- logically stopping xss Justin Shin (Jul 22)
- Re: logically stopping xss Edstrom Johan (Jul 22)
- Re: logically stopping xss Valdis . Kletnieks (Jul 22)
- RE: logically stopping xss Justin Shin (Jul 22)
- Re: logically stopping xss KF (Jul 22)
- RE: logically stopping xss Justin Shin (Jul 22)
- Re: logically stopping xss Valdis . Kletnieks (Jul 22)
- Re: logically stopping xss Valdis . Kletnieks (Jul 22)
- RE: logically stopping xss Justin Shin (Jul 22)
- Re: logically stopping xss petard (Jul 22)
- <Possible follow-ups>
- RE: logically stopping xss Marc Ruef (Jul 23)
- RE: logically stopping xss Schmehl, Paul L (Jul 23)