Re: Preventing cross site scripting

["Tim Greer" <chatmaster () charter net>]

----- Original Message -----
From: "Jeremiah Grossman" <jeremiah () whitehatsec com>
To: "Mutellip Ablimit" <mutax () insi co jp>
Cc: <webappsec () securityfocus com>
Sent: Thursday, June 19, 2003 8:00 PM
Subject: RE: Preventing cross site scripting


> certainly, this is probably the best practice no matter the method.
>
> On Thu, 2003-06-19 at 19:46, Mutellip Ablimit wrote:
> > How about apply a loop operation untill get rid of all <bad tag>s.

No, not the best method. This is illogical. You can't "check" for bad tags.
You can only verify "good" tags. To do otherwise, would be to blindly accept
tags--there are no other alternatives to that logic If you only enable good
tags, you have control, and you don't have to check for bad tags--since you
didn't enable them. otherwise your logic goes into an endless loop and
you'll never be able to get past this problem. It will also make it
unnecessarily complicated and inefficient, for such a simple task.
--
Regards,
Tim Greer  chatmaster () charter net
Server administration, security, programming, consulting.