WebApp Sec mailing list archives
Preventing XSS
From: "Ulf Harnhammar" <metaur () operamail com>
Date: Fri, 20 Jun 2003 16:54:17 +0100
Hello! I see that a lot of people here are interested in preventing Cross-Site Scripting. Why don't you join the people who are working on filters for it (like my kses in PHP, or someone else's HTML::StripScripts::Parser in Perl), so we end up with really robust open-source implementations that we can point people to? Talking about filters, didn't the OWASP Project use to work on them as well? Did they release anything? Another question: People were discussing a <dead> tag earlier that would temporarily stop execution of JavaScript in a web page. (Not that the XSS problem is only related to JavaScript, mind you, meta refreshes can be just as bad.) Did someone start implementing that? Another two pence to the general XSS discussion: it's not just about whole HTML elements, it's also about fragments. With this PHP code: echo "<a href=\"$url\">Homepage</a>\n"; you can cause an XSS problem if $url is: http://www.somestupidsite.tk/" onMouseOver="alert(57) Just processing "<" and ">" won't help you. In this type of fragment, quotes and apostrophes must be handled as well. // Ulf Harnhammar kses - PHP HTML filter http://sourceforge.net/projects/kses -- ____________________________________________ http://www.operamail.com Get OperaMail Premium today - USD 29.99/year Powered by Outblaze
Current thread:
- Preventing XSS Ulf Harnhammar (Jun 20)
- Re: Preventing XSS Tim Greer (Jun 20)
- <Possible follow-ups>
- Re: Preventing XSS Mark Curphey (Jun 20)