OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Laurian Gridinoc (laur_at_grapefruitdesign.com)
Date: Mon Sep 23 2002 - 08:19:06 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    b0iler wrote:

    >So how about this: Have the web browser (or a plugin) check if any data
    >submitted to the website is being interpreted as scriptting. Then disallow
    >any of it to be used as scriptting. This will not totally solve XSS, but it
    >will prevent the most common XSS (the simple, unchanged input echoed to the
    >client.).
    >
    In the end disallowing javascript-like words?
    Yahoo did that :) check:
    http://www.ntk.net/2002/07/12/

    I think that the check should be in the end in the webapp, when
    `displaying' data - where the script is interpretable, since on
    submission may be multiple escaped/encoded to bypass the webapp filter
    logic.

    Cheers,

    -
    Laurian Gridinoc
    Chief Developer
    GRAPEFRUIT DESIGN
    ----------------------------------------------------------------------
    E laurgrapefruitdesign.com
    ICQ 73831683
    T/F +40.232.233068 (Romania)
    T/F 646.349.2916 (US), 0845.127.5996 (UK)
    M +40.745.304379
    WEB www.grapefruitdesign.com
    ----------------------------------------------------------------------