WebApp Sec mailing list archives

Re: [Re: AppSec FAQ at OWASP]

From: Sangita Pakala <sangita.pakala () paladion net>
Date: Thu, 29 Jan 2004 22:09:48 +0550


オマル イスマイル <isumai-u () is aist-nara ac jp> wrote:

I would like to know that how you deal with the false positive?
In the case of " <img src= "javascript: preview(....)> or <img 
src="javascript:window.close()>..etc..etc..
If you escape the "(" and ")" that means you render out the harmless 
Javascript too.



I'm not sure if I've understood the issue, so pls correct me if I'm wrong. You
would not escape *every* '<' or '(' in the html page. You would only escape
those which come from user-supplied inputs in the first place. I assume that
the harmless calls to preview() and window.close() are *not* user supplied
inputs, but part of the html page template. So, there shouldn't be false
positives escaping '(' and ')' from content that came from user-supplied
inputs.

Thanks,
Sangita.

Current thread:

Re: [Re: AppSec FAQ at OWASP] Sangita Pakala (Jan 29)
- Re: [Re: AppSec FAQ at OWASP] Omar Ismail (Jan 29)
- <Possible follow-ups>
- Re: [Re: AppSec FAQ at OWASP] Rohyt Belani (Jan 29)
  - Re: [Re: AppSec FAQ at OWASP] Philippe P. (Jan 30)
  - Re: [Re: AppSec FAQ at OWASP] Philippe Prados (Jan 30)
    - Re: [Re: AppSec FAQ at OWASP] Ulf Härnhammar (Jan 30)
- Re: [Re: AppSec FAQ at OWASP] Omarjan Ismail (Jan 29)
- Re: [Re: AppSec FAQ at OWASP] Rohyt Belani (Jan 30)