WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Preventing XSS

From: "Ulf Harnhammar" <metaur () operamail com>
Date: Fri, 20 Jun 2003 16:54:17 +0100
Hello!

I see that a lot of people here are interested in preventing Cross-Site Scripting. Why don't you join the people who 
are working on filters for it (like my kses in PHP, or someone else's HTML::StripScripts::Parser in Perl), so we end up 
with really robust open-source implementations that we can point people to?

Talking about filters, didn't the OWASP Project use to work on them as well? Did they release anything?

Another question: People were discussing a <dead> tag earlier that would temporarily stop execution of JavaScript in a 
web page. (Not that the XSS problem is only related to JavaScript, mind you, meta refreshes can be just as bad.) Did 
someone start implementing that?

Another two pence to the general XSS discussion: it's not just about whole HTML elements, it's also about fragments. 
With this PHP code:

echo "<a href=\"$url\">Homepage</a>\n";

you can cause an XSS problem if $url is:

http://www.somestupidsite.tk/"; onMouseOver="alert(57)

Just processing "<" and ">" won't help you. In this type of fragment, quotes and apostrophes must be handled as well.

// Ulf Harnhammar
   kses - PHP HTML filter
   http://sourceforge.net/projects/kses

-- 
____________________________________________
http://www.operamail.com
Get OperaMail Premium today - USD 29.99/year


Powered by Outblaze
Previous By Date Next
Previous By Thread Next

Current thread: