Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Greg Steuck (greg-webappsec_at_nest.cx)
Date: Thu Aug 08 2002 - 00:15:08 CDT
>>>>> "Doug" == Doug Sibley <doug.sibleybmo.com> writes:
Doug> Hi, I think what we need to come up with is an easy way
Doug> for developers to create web-apps with user content in them
Doug> that isn't vulnerable to XSS.
XSS is easy to prevent, somebody tell me it takes more then 2 primitives
writeCharData() and writeAttributeData()
The former changes "<>&" to corresponding entities the latter - "<>&'\"".
Then you use these everywhere where you paste data into the template.
Since I was stuck with JSP for the last year it is the easiest for me to
illustrate now. So, you forget about <%= %>, it becomes
<% write*Data(data, out); %>
Is there any way to break this?
Note I don't filter the input, I don't care what it is, I just make sure
that what the output is syntactically correct no matter what data I have
to splice in.
The real blame for XSS parade lies with nearsighted vendors that didn't
include an easy shortcut for such obvious quoting operation. Imagine if
<%= %> by default was doing writeCharData. And instead you would have to
use a special arcane form (<% out.write(); %>) to get the as-is insertion.
P.S. Should I just show the code instead of these long-winded
P.P.S. Yes, I know that the original poster was tackling a bigger problem.
No, I don't think his solution is the right one, but my opinion on the
solution to that problem is a bit too long for this evening.