Re: Preventing cross site scripting

["Tim Greer" <chatmaster () charter net>]

----- Original Message -----
From: "Alex Lambert" <alambert () quickfire org>
To: "David Cameron" <dcameron () itis-now com>; "Andrew Beverley"
<mail () andybev com>; <webappsec () securityfocus com>
Sent: Thursday, June 19, 2003 7:13 PM
Subject: Re: Preventing cross site scripting


> What about onClick (etc) attributes? i.e. <img src="good.gif*"
> onMouseOver="evil();">

Onclick, onmouse, etc. don't do any good to the person trying them, if you
don't allow double quotes and single quotes, etc. within an anchor,
image/sr. type tag.

Such as (as again, converting all tags first and then putting them back
together):

s/&lt;\s*img\s+sr.\s*=\s*['"](https?:\/\/)?(\w@:\w+.){1,}\.\w{2,4}(/\w.\/\?\
$)*\s*?$gt;/... and so on... It will not allow anything to work that you
don't allow in the sr. tag. Again, just an example, not a working regez or
complete. This is the entire point--not to guess about "well, what if
someone...", because you know 'exactly' what they are able to do...
--
Regards,
Tim Greer  chatmaster () charter net
Server administration, security, programming, consulting.