Re: Preventing cross site scripting

[Laurian Gridinoc <laur () grapefruitdesign com>]

On Fri, 2003-06-20 at 19:08, Tim Greer wrote:
> > The most elegant way to control html input would be to parse it to a DOM
> > tree and control it from there; I'm widely using Tidy to `correct' the
> > input to XHTML, then by a simple XSL transformation I can filter/alter
> > whatever elements I need.
> Can you give a real workd example of a URL link/anchor tag on how you would
> allow or disallow it from becoming active based on specific variables that
> would prevent an attack that would be a superior method over a regex
> example, such as I offered?

I can, it take surely more lines; but I was talking more to the markup
handling and not on validating the values enclosed in attributes and/or
text nodes; XSL has string functions which may be used to test and
change attribute and text node values; you may use them or you may call
external resources which may better handle them.

> > I consider filtering html as it was a mere string (i.e. using regexp or
> > simple replace methods) pretty uncertain in results and not quite
> > programming :) -- it's a language, it has a grammar, then use a parser.
> I don't see how anything would be better than a regex, but everyone has
> their preferences. TIMTOWTDI, I'm sure. 

I just like (and consider it safe) to treat markup (sometime before) and
apart from content.

> You think regex's aren't quite
> programming? :()

No, regex's are wonderful & powerful tools (not always very readable),
however, I was regarding the problem in this way: is tricky (read hard
to debug) to treat the markup and the content at the same time (at index
j in a string you might be in a tag name, a value or a comment - way too
tricky to handle this context incertitude); in my suggestion I can treat
content while I'm very sure of the context.


Cheers,

-- 
Laurian Gridinoc
Chief Developer
GRAPEFRUIT DESIGN
www.grapefruitdesign.com
www.gd.ro