Re: CROSS SITE-SCRIPTING Protection with PHP

[Dan Kaminsky <dan () doxpara com>]

> A universal solution to XSS or almost any security problem is not 
> possible.
> This is because you need to concider function aswell as security.


You also need to consider function as well as security.  As I pointed 
out earlier, something akin to a <SCRIPTEND> tag to permanently disable 
all inline script parsing of HTML after a certain point would be 
remarkable effective -- essentially, the web server could output its own 
trusted content w/ scripting, then all that came after would be 
(relatively) safe HTML.  By irrevocably removing functionality after a 
given point, we're not faced with the state explosion of trying to 
define those few options we'll allow to survive within the sandbox that 
won't let you dig your way out.

Of course, there become issues with links to remote sites that contain 
one of the dozen or so unpatched browser bugs, but that's an entirely 
different issue.

One other thing we've needed for some time is for someone to fund work 
on Mozilla to extract the script parsing engine and convert it into a 
component of some sort that accepts HTML and returns whether script 
calls or various tags do or do not show up in said HTML, *as parsed by a 
legitimate browser*.  As you point out, one can scrub with some 
extraordinary fervor and there's still some other way that browsers have 
been built to understand content.  We've *got* an Open Source browser 
here that's been built to function with most of the various contexts the 
web has to offer.  A last ditch "run post through a server-side browser, 
and if it still shows tags/scripts/etc, drop it" function would be useful.

Yours Truly,

   Dan Kaminsky
   DoxPara Research
   http://www.doxpara.com