WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Preventing XSS

From: Mark Curphey <mark () curphey com>
Date: Fri, 20 Jun 2003 15:52:47 -0400 (EST)
OWASP Filters are being blended into the OWASP Commons Library sometime soon. 

You can pull the original code from CVS using anonymous pserver. 

http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/owasp/filters/

cvs -d:pserver:anonymous () cvs sourceforge net:/cvsroot/owasp login 
 
cvs -z3 -d:pserver:anonymous () cvs sourceforge net:/cvsroot/owasp co filters

user anonymous when promoted for a password

You can read the release notes on the OCL at 

http://sourceforge.net/project/shownotes.php?release_id=165694We tried to get 

There is a lot of great stuff in the OCL and its well worth a look. Brain child of Ingo Struck.








---- Ulf Harnhammar <metaur () operamail com> wrote:

Hello!

I see that a lot of people here are interested in preventing Cross-Site Scripting. Why don't you join the people who 
are working on filters for it (like my kses in PHP, or someone else's HTML::StripScripts::Parser in Perl), so we end 
up with really robust open-source implementations that we can point people to?

Talking about filters, didn't the OWASP Project use to work on them as well? Did they release anything?

Another question: People were discussing a <dead> tag earlier that would temporarily stop execution of JavaScript in 
a web page. (Not that the XSS problem is only related to JavaScript, mind you, meta refreshes can be just as bad.) 
Did someone start implementing that?

Another two pence to the general XSS discussion: it's not just about whole HTML elements, it's also about fragments. 
With this PHP code:

echo "<a href=\"$url\">Homepage</a>\n";

you can cause an XSS problem if $url is:

http://www.somestupidsite.tk/"; onMouseOver="alert(57)

Just processing "<" and ">" won't help you. In this type of fragment, quotes and apostrophes must be handled as well.

// Ulf Harnhammar
   kses - PHP HTML filter
   http://sourceforge.net/projects/kses

-- 
____________________________________________
http://www.operamail.com
Get OperaMail Premium today - USD 29.99/year


Powered by Outblaze
Previous By Date Next
Previous By Thread Next

Current thread: