>>>>> "Doug" == Doug Sibley <doug.sibleybmo.com> writes:

    Doug> Hi, I think what we need to come up with is an easy way
    Doug> for developers to create web-apps with user content in them
    Doug> that isn't vulnerable to XSS.

XSS is easy to prevent, somebody tell me it takes more then 2 primitives
on output:

writeCharData() and writeAttributeData()

The former changes "<>&" to corresponding entities the latter - "<>&'\"".

Then you use these everywhere where you paste data into the template.
Since I was stuck with JSP for the last year it is the easiest for me to
illustrate now. So, you forget about <%= %>, it becomes

<% write*Data(data, out); %>

Is there any way to break this?

Note I don't filter the input, I don't care what it is, I just make sure
that what the output is syntactically correct no matter what data I have
to splice in.

<rant>
The real blame for XSS parade lies with nearsighted vendors that didn't
include an easy shortcut for such obvious quoting operation. Imagine if
<%= %> by default was doing writeCharData. And instead you would have to
use a special arcane form (<% out.write(); %>) to get the as-is insertion.
How many stupid XSS and javascript insertion attacks would never happen?
</rant>

Thanks
Greg

P.S. Should I just show the code instead of these long-winded
explanations?

P.P.S. Yes, I know that the original poster was tackling a bigger problem.
No, I don't think his solution is the right one, but my opinion on the
solution to that problem is a bit too long for this evening.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]