|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: Preventing cross site scripting
From: David Cameron (dcameron
itis-now.com)
Date: Thu Jun 19 2003 - 21:30:06 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
You might also want to think about some things that are not likely to provide xss, but would cause visual problems. Eg <img src="" width="10000000" height="20000000"> or excessively large/small fonts.
regards
David Cameron
nOw.b2b
dcameronitis-now.com
> -----Original Message-----
> From: Bob Lee [mailto:crazybobcrazybob.org]
> Sent: Friday, 20 June 2003 12:19 PM
> To: webappsecsecurityfocus.com
> Subject: Re: Preventing cross site scripting
>
>
> You can also embed javascript in seemingly harmless tags such
> as "img"
> and in event handlers, such as "onload".
>
> Bob
>
> On Thursday, June 19, 2003, at 08:50 PM, David Cameron wrote:
>
> > Create a list of unacceptable tags in an array (eg applet, embed),
> > loop through the array and generate a regexpr based on the array,
> > something of the form:
> > <(applet)|(embed).?> and replace all instances with "".
> >7
> > Do the same for any possible closing tags ie:
> > </(applet)|(embed)> and replace all instances with "".
> >
> > BTW the RegExpr may be wrong, I'm not all that hot on RegExprs, but
> > you get the idea.
> >
> > regards
> > David Cameron
> > nOw.b2b
> > dcameronitis-now.com
> >
> >> -----Original Message-----
> >> From: Andrew Beverley [mailto:mailandybev.com]
> >> Sent: Friday, 20 June 2003 4:28 AM
> >> To: webappsecsecurityfocus.com
> >> Subject: Preventing cross site scripting
> >>
> >>
> >> I am currently writing a web application that, as a small
> part of it,
> >> needs to display an email message. Obviously the message is
> >> potentially
> >> in html format, which to display could be sent straight to
> >> the browser.
> >>
> >> I would like to know the best way of filtering out
> undesirable html. I
> >> understand the best way is to only allow acceptable
> >> information, in this
> >> case all the different html formatting tags.
> >>
> >> However, there is a lot of tags that are acceptable.
> Another approach
> >> would be to strip out all the bad stuff such as <SCRIPT>, <OBJECT>,
> >> <APPLET>, and <EMBED> but this is far from ideal because
> of new tags
> >> becoming available and so on.
> >>
> >> Are there any functions available (for php) that will take
> a html page
> >> as input and strip out all nasty stuff? Does anyone have
> >> suggestions as
> >> to how to do this as easy as possible?
> >>
> >> Thanks,
> >>
> >> Andrew Beverley
> >>
> >>
> >>
> >>
> >>
>
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]