WebApp Sec mailing list archives

RE: Preventing cross site scripting

From: "David Cameron" <dcameron () itis-now com>
Date: Fri, 20 Jun 2003 12:30:06 +1000

You might also want to think about some things that are not likely to provide xss, but would cause visual problems. Eg 
<img src="" width="10000000" height="20000000"> or excessively large/small fonts.

regards
David Cameron
nOw.b2b
dcameron () itis-now com

-----Original Message-----
From: Bob Lee [mailto:crazybob () crazybob org]
Sent: Friday, 20 June 2003 12:19 PM
To: webappsec () securityfocus com
Subject: Re: Preventing cross site scripting

You can also embed javascript in seemingly harmless tags such 
as "img" 
and in event handlers, such as "onload".

Bob

On Thursday, June 19, 2003, at 08:50 PM, David Cameron wrote:

Create a list of unacceptable tags in an array (eg applet, embed), 
loop through the array and generate a regexpr based on the array, 
something of the form:
<(applet)|(embed).?> and replace all instances with "".
7
Do the same for any possible closing tags ie:
</(applet)|(embed)> and replace all instances with "".

BTW the RegExpr may be wrong, I'm not all that hot on RegExprs, but 
you get the idea.

regards
David Cameron
nOw.b2b
dcameron () itis-now com

-----Original Message-----
From: Andrew Beverley [mailto:mail () andybev com]
Sent: Friday, 20 June 2003 4:28 AM
To: webappsec () securityfocus com
Subject: Preventing cross site scripting


I am currently writing a web application that, as a small

part of it,

needs to display an email message. Obviously the message is
potentially
in html format, which to display could be sent straight to
the browser.

I would like to know the best way of filtering out

undesirable html. I

understand the best way is to only allow acceptable
information, in this
case all the different html formatting tags.

However, there is a lot of tags that are acceptable.

Another approach

would be to strip out all the bad stuff such as <SCRIPT>, <OBJECT>,
<APPLET>, and <EMBED> but this is far from ideal because

of new tags

becoming available and so on.

Are there any functions available (for php) that will take

a html page

as input and strip out all nasty stuff? Does anyone have
suggestions as
to how to do this as easy as possible?

Thanks,

Andrew Beverley

Current thread:

Preventing cross site scripting, (continued)
- Preventing cross site scripting Andrew Beverley (Jun 19)
  - Re: Preventing cross site scripting Tim Greer (Jun 19)
- RE: Preventing cross site scripting David Cameron (Jun 19)
  - Re: Preventing cross site scripting Alex Lambert (Jun 19)
    - Re: Preventing cross site scripting Tim Greer (Jun 19)
  - RE: Preventing cross site scripting Mutallip Ablimit (Jun 19)
    - RE: Preventing cross site scripting Jeremiah Grossman (Jun 19)
    - Re: Preventing cross site scripting Tim Greer (Jun 19)
  - Re: Preventing cross site scripting Bob Lee (Jun 19)
    - Re: Preventing cross site scripting Tim Greer (Jun 19)
- RE: Preventing cross site scripting David Cameron (Jun 19)
  - Re: Preventing cross site scripting Tim Greer (Jun 19)
- RE: Preventing cross site scripting Jeremiah Grossman (Jun 19)
  - Re: Preventing cross site scripting Tim Greer (Jun 20)
    - RE: Preventing cross site scripting Mutellip Ablimit (Jun 20)
    - Re: Preventing cross site scripting Tim Greer (Jun 20)
- RE: Preventing cross site scripting Michael Howard (Jun 20)
- RE: Preventing cross site scripting Calderon, Juan C (EM, DDEMESIS) (Jun 21)