WebApp Sec mailing list archives
Re: Preventing cross site scripting
From: "Tim Greer" <chatmaster () charter net>
Date: Fri, 20 Jun 2003 08:23:30 -0700
----- Original Message ----- From: "Wojciech Purczynski" <cliph () isec pl> To: "Tim Greer" <chatmaster () charter net> Cc: <webappsec () securityfocus com> Sent: Friday, June 20, 2003 6:27 AM Subject: Re: Preventing cross site scripting
To prevent CSS attacks, it is the most simple and trivial thing; Simply parse the input. Change all < and > tags to < and > for text/HTML display of the tag itself without it parsing it. Then, like you stated,
and
is the most basic approach to security for form input, etc., is to put
them
back together with *only* the HTML tags you want, such as <br>
would
then be put back together as a line break tag <br> You can do this
easily
for almost all HTML tags. For tags that could potentially be used to
input
things such as anchor tags for images or hot links, etc. simply control what's put back together.I like your idea. :) However, it would break some HTML pages that already contains some examples of HTML code etc. Perhaps it should be done in three steps: 1. Change all < > to &foolt; and &foogt; corresponding 2. Put back all allowable HTML tags i.e. &foolt;BODY&foogt; (using regex or sth else to filter out unwanted attributes) 3. Change all remaining &foolt; to < and &foogt; to > Cheers, wp
I don't often use HTML examples in chat rooms and web forums, so I use the prior method most, but I sometimes do what you suggested now. I also try and make it use placeholders that are not easily guessed. Anyway, that's a good point. -- Regards, Tim Greer chatmaster () charter net Server administration, security, programming, consulting.
Current thread:
- Re: Preventing cross site scripting, (continued)
- Re: Preventing cross site scripting Wojciech Purczynski (Jun 20)
- Re: Preventing cross site scripting Laurian Gridinoc (Jun 20)
- Re: Preventing cross site scripting Tim Greer (Jun 20)
- Re: Preventing cross site scripting Laurian Gridinoc (Jun 20)
- Re: Preventing cross site scripting Tim Greer (Jun 20)
- Re: Preventing cross site scripting Laurian Gridinoc (Jun 21)
- Re: Preventing cross site scripting Tim Greer (Jun 21)
- Message not available
- Re: Preventing cross site scripting Tim Greer (Jun 21)
- Re: Preventing cross site scripting Laurian Gridinoc (Jun 21)
- Re: Preventing cross site scripting Tim Greer (Jun 21)
- Re: Preventing cross site scripting Wojciech Purczynski (Jun 20)
- Re: Preventing cross site scripting Tim Greer (Jun 20)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- Re: Preventing cross site scripting Alex Lambert (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- RE: Preventing cross site scripting Mutallip Ablimit (Jun 19)
- RE: Preventing cross site scripting Jeremiah Grossman (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)