Re: Preventing cross site scripting

["Tim Greer" <chatmaster () charter net>]

----- Original Message -----
From: "Wojciech Purczynski" <cliph () isec pl>
To: "Tim Greer" <chatmaster () charter net>
Cc: <webappsec () securityfocus com>
Sent: Friday, June 20, 2003 6:27 AM
Subject: Re: Preventing cross site scripting


> > To prevent CSS attacks, it is the most simple and trivial thing; Simply
> > parse the input. Change all < and > tags to &lt; and &gt; for text/HTML
> > display of the tag itself without it parsing it. Then, like you stated,
and
> > is the most basic approach to security for form input, etc., is to put
them
> > back together with *only* the HTML tags you want, such as &lt;br&gt;
would
> > then be put back together as a line break tag <br> You can do this
easily
> > for almost all HTML tags. For tags that could potentially be used to
input
> > things such as anchor tags for images or hot links, etc. simply control
> > what's put back together.
>
> I like your idea. :) However, it would break some HTML pages that already
> contains some examples of HTML code etc.
>
> Perhaps it should be done in three steps:
>
> 1. Change all < > to &foolt; and &foogt; corresponding
> 2. Put back all allowable HTML tags i.e. &foolt;BODY&foogt;
>    (using regex or sth else to filter out unwanted attributes)
> 3. Change all remaining &foolt; to &lt; and &foogt; to &gt;
>
> Cheers,
> wp

I don't often use HTML examples in chat rooms and web forums, so I use the
prior method most, but I sometimes do what you suggested now. I also try and
make it use placeholders that are not easily guessed. Anyway, that's a good
point.
--
Regards,
Tim Greer  chatmaster () charter net
Server administration, security, programming, consulting.