|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Laurian Gridinoc (laur_at_grapefruitdesign.com)
Date: Mon Sep 23 2002 - 08:19:06 CDT
b0iler wrote:
>So how about this: Have the web browser (or a plugin) check if any data
>submitted to the website is being interpreted as scriptting. Then disallow
>any of it to be used as scriptting. This will not totally solve XSS, but it
>will prevent the most common XSS (the simple, unchanged input echoed to the
>client.).
>
In the end disallowing javascript-like words?
Yahoo did that :) check:
http://www.ntk.net/2002/07/12/
I think that the check should be in the end in the webapp, when
`displaying' data - where the script is interpretable, since on
submission may be multiple escaped/encoded to bypass the webapp filter
logic.
Cheers,
-
Laurian Gridinoc
Chief Developer
GRAPEFRUIT DESIGN
----------------------------------------------------------------------
E laur
grapefruitdesign.com
ICQ 73831683
T/F +40.232.233068 (Romania)
T/F 646.349.2916 (US), 0845.127.5996 (UK)
M +40.745.304379
WEB www.grapefruitdesign.com
----------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]