Re: Fixing XSS Vulns

[Petko Petkov <ppetkov () gnucitizen org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
wilsonc wrote:

> I'm a new developer to a project, and I've found that our web app
> is wide open for XSS exploits. (thankfully, its not in production
> use). I'm not a security expert, but I did some googling and found
> that the standard procedure is basically to "encode" the string
> before displaying it to the user, so that specific characters are
> transformed into their HTML 'escape sequence'. For example, the
> left paren, '(' would be encoded to be (
>
> A more experience developer has suggested that instead of writing a
> function to do this when we display, we write a trigger to
> encode/filter on capture. I explained to him that it would be that
> HTML-specific 'escape sequences' would then be stored in the
> database, and what I learned from googling. He feels confident that
> our data will only be displayed through a web app, and not through
> any kind of reporting module, and he feels the trigger to encode
> text is a cleaner implementation. Assuming your data was only going
> to be displayed back to the user via the same website that captured
> the input, is there anything wrong with encoding the string on
> capture?
>
> --CW
>
>
>
>
> .
It depends on your application. I would suggest encoding the string
before displaying it to the user since such implementation will make
your data records a bit more independent from the rest of your
application.

However, speaking about security? make sure that all input fields to
your application are properly sanitized.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
 
iD8DBQFC/L+IFf/6vxAyUpgRAnOEAJ9wZBGy3kmqQboXPxQRAeXNVy40kQCaA1LF
ofG8z2gVt178/RZ0X3K9dXc=
=7b29
-----END PGP SIGNATURE-----