WebApp Sec mailing list archives

Re: Preventing cross site scripting

From: "Tim Greer" <chatmaster () charter net>
Date: Thu, 19 Jun 2003 21:48:48 -0700

Yes,

That would work for some basic tags that are static. Personally, I don't
like PHP... far too buggy and far too many security issues over it's time
compared to alternatives such as Perl and C, so I'm not up to speed on all
the functions to appreciate it's regex's, though it can use Perl regex's,
which is very cool (since they are the most versatile!).
--
Regards,
Tim Greer  chatmaster () charter net
Server administration, security, programming, consulting.


----- Original Message -----
From: "Mutellip Ablimit" <mutax () insi co jp>
To: "Tim Greer" <chatmaster () charter net>
Cc: <webappsec () securityfocus com>
Sent: Thursday, June 19, 2003 9:40 PM
Subject: RE: Preventing cross site scripting

This strip_tags($Text, "<allowed tag>"); will be helpful then. (4php)

Regards.

------------
Mutellip Ablimit
mutax () insi co jp


-----Original Message-----
From: Tim Greer [mailto:chatmaster () charter net]
Sent: Friday, June 20, 2003 1:03 PM
To: Jeremiah Grossman; Mutellip Ablimit
Cc: webappsec () securityfocus com
Subject: Re: Preventing cross site scripting




----- Original Message -----
From: "Jeremiah Grossman" <jeremiah () whitehatsec com>
To: "Mutellip Ablimit" <mutax () insi co jp>
Cc: <webappsec () securityfocus com>
Sent: Thursday, June 19, 2003 8:00 PM
Subject: RE: Preventing cross site scripting

certainly, this is probably the best practice no matter the method.

On Thu, 2003-06-19 at 19:46, Mutellip Ablimit wrote:

How about apply a loop operation untill get rid of all <bad tag>s.


No, not the best method. This is illogical. You can't "check" for bad

tags.

You can only verify "good" tags. To do otherwise, would be to blindly

accept

tags--there are no other alternatives to that logic If you only enable

good

tags, you have control, and you don't have to check for bad tags--since

you

didn't enable them. otherwise your logic goes into an endless loop and
you'll never be able to get past this problem. It will also make it
unnecessarily complicated and inefficient, for such a simple task.
--
Regards,
Tim Greer  chatmaster () charter net
Server administration, security, programming, consulting.

Current thread:

RE: Preventing cross site scripting, (continued)
- - RE: Preventing cross site scripting Mutallip Ablimit (Jun 19)
    - RE: Preventing cross site scripting Jeremiah Grossman (Jun 19)
    - Re: Preventing cross site scripting Tim Greer (Jun 19)
  - Re: Preventing cross site scripting Bob Lee (Jun 19)
    - Re: Preventing cross site scripting Tim Greer (Jun 19)
- RE: Preventing cross site scripting David Cameron (Jun 19)
  - Re: Preventing cross site scripting Tim Greer (Jun 19)
- RE: Preventing cross site scripting Jeremiah Grossman (Jun 19)
  - Re: Preventing cross site scripting Tim Greer (Jun 20)
    - RE: Preventing cross site scripting Mutellip Ablimit (Jun 20)
    - Re: Preventing cross site scripting Tim Greer (Jun 20)
- RE: Preventing cross site scripting Michael Howard (Jun 20)
- RE: Preventing cross site scripting Calderon, Juan C (EM, DDEMESIS) (Jun 21)