WebApp Sec mailing list archives
Re: Preventing cross site scripting
From: "Tim Greer" <chatmaster () charter net>
Date: Fri, 20 Jun 2003 10:11:28 -0700
----- Original Message ----- From: "Laurian Gridinoc" <laur () grapefruitdesign com> To: "Tim Greer" <chatmaster () charter net> Cc: <webappsec () securityfocus com> Sent: Friday, June 20, 2003 11:12 AM Subject: Re: Preventing cross site scripting
On Fri, 2003-06-20 at 19:08, Tim Greer wrote:The most elegant way to control html input would be to parse it to a
DOM
tree and control it from there; I'm widely using Tidy to `correct' the input to XHTML, then by a simple XSL transformation I can filter/alter whatever elements I need.Can you give a real workd example of a URL link/anchor tag on how you
would
allow or disallow it from becoming active based on specific variables
that
would prevent an attack that would be a superior method over a regex example, such as I offered?I can, it take surely more lines; but I was talking more to the markup handling and not on validating the values enclosed in attributes and/or text nodes; XSL has string functions which may be used to test and change attribute and text node values; you may use them or you may call external resources which may better handle them.I consider filtering html as it was a mere string (i.e. using regexp
or
simple replace methods) pretty uncertain in results and not quite programming :) -- it's a language, it has a grammar, then use a
parser.
I don't see how anything would be better than a regex, but everyone has their preferences. TIMTOWTDI, I'm sure.I just like (and consider it safe) to treat markup (sometime before) and apart from content.You think regex's aren't quite programming? :()No, regex's are wonderful & powerful tools (not always very readable), however, I was regarding the problem in this way: is tricky (read hard to debug) to treat the markup and the content at the same time (at index j in a string you might be in a tag name, a value or a comment - way too tricky to handle this context incertitude); in my suggestion I can treat content while I'm very sure of the context.
Hi, Please provide some examples of this. I'd like to see your idea(s) at work and how it would solve this problem. I'm honestly not quite clear on the context in which you mean this to solve this problem and I'm interested knowing. I'm not sure I agree right now, so some examples illustrating it would be great--if you'd be so kind. Thanks. -- Regards, Tim Greer chatmaster () charter net Server administration, security, programming, consulting.
Current thread:
- Preventing cross site scripting Andrew Beverley (Jun 19)
- Re: Preventing cross site scripting Jeremiah Grossman (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 20)
- Re: Preventing cross site scripting Wojciech Purczynski (Jun 20)
- Re: Preventing cross site scripting Laurian Gridinoc (Jun 20)
- Re: Preventing cross site scripting Tim Greer (Jun 20)
- Re: Preventing cross site scripting Laurian Gridinoc (Jun 20)
- Re: Preventing cross site scripting Tim Greer (Jun 20)
- Re: Preventing cross site scripting Laurian Gridinoc (Jun 21)
- Re: Preventing cross site scripting Tim Greer (Jun 21)
- Message not available
- Re: Preventing cross site scripting Tim Greer (Jun 21)
- Re: Preventing cross site scripting Laurian Gridinoc (Jun 21)
- Re: Preventing cross site scripting Tim Greer (Jun 21)
- Re: Preventing cross site scripting Wojciech Purczynski (Jun 20)
- Re: Preventing cross site scripting Jeremiah Grossman (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 20)
- <Possible follow-ups>
- Preventing cross site scripting Andrew Beverley (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)