Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Jeff Hunsaker (jeffhunsakerhotmail.com)
Date: Mon Feb 04 2002 - 09:57:08 CST
Under IIS/ASP, the Server.HTMLEncode() method encodes characters
automatically but I usually use regular expressions coded for specific
inputs to check anything sent to the server.
----Original Message Follows----
From: "HarryM" <harrymthe-group.org>
To: <webappsecsecurityfocus.com>, "Lincoln Yeoh" <lyeohpop.jaring.my>
Subject: Re: Webappsec FAQ?
Date: Mon, 4 Feb 2002 06:06:29 -0000
Someone determined and knowledgeable will always find a way, however, you
can do a lot by filtering out things like <object>, <embed>, <applet> and of
course <script>. You can also do other things if you want to use Regex...
if things like <*vb*>
would be relevent but it would be worth looking into. Probably the
and most effective strategy would be to str_replace all the output varaibles
to convert < to < and > to >. That will defeat the vast majority of
malicious scripting attacks, although there are probably ways to get around
that too - especilly if your scripts convert unicode or hex into ascii, or
something like that. There are so many permutations for things like this
that it's impossible to get them all, but you can do a lot.
----- Original Message -----
From: "Lincoln Yeoh" <lyeohpop.jaring.my>
Sent: Monday, February 04, 2002 4:54 AM
Subject: Webappsec FAQ?
> Where can I find the webappsec FAQ?
> active content) on my webapps when displaying HTML from nontrusted
> (e.g. email, users etc). There seem to be thousands of ways to smuggle
> on the user's browser.
> If only browser manufacturers would create a tag for "active content
> disabled from now on, renenabled by this passcode: ab412f83d921dc389".
> I suppose they won't be able to do that properly either ;).
Send and receive Hotmail on your mobile device: http://mobile.msn.com