NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > WWW-Mobile-Code> 2003-q2

RE: Preventing cross site scripting

From: Michael Howard (mikehowmicrosoft.com)
Date: Thu Jun 19 2003 - 23:19:34 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

You can never know all the 'unacceptible' tags and the escape versions
etc.. Why not simple define the list of 'acceptible' tags, look for
those, and anything you don't like you whitespace. Simple and safe! The
worst your gonna get is an annoyed customer that thinks you screwed them
on what they consider is valid. Better that than a bunch of REALLY
annoyed customers who think your stuff is unsafe!

Cheers, Michael
Writing Secure Code 2nd Edition
http://www.microsoft.com/mspress/books/5957.asp

-----Original Message-----
From: David Cameron [mailto:dcameronitis-now.com]
Sent: Thursday, June 19, 2003 6:51 PM
To: Andrew Beverley; webappsecsecurityfocus.com
Subject: RE: Preventing cross site scripting

Create a list of unacceptable tags in an array (eg applet, embed), loop
through the array and generate a regexpr based on the array, something
of the form:
<(applet)|(embed).?> and replace all instances with "".

Do the same for any possible closing tags ie:
</(applet)|(embed)> and replace all instances with "".

BTW the RegExpr may be wrong, I'm not all that hot on RegExprs, but you
get the idea.

regards
David Cameron
nOw.b2b
dcameronitis-now.com

> -----Original Message-----
> From: Andrew Beverley [mailto:mailandybev.com]
> Sent: Friday, 20 June 2003 4:28 AM
> To: webappsecsecurityfocus.com
> Subject: Preventing cross site scripting
>
>
> I am currently writing a web application that, as a small part of it,
> needs to display an email message. Obviously the message is
> potentially in html format, which to display could be sent straight to

> the browser.
>
> I would like to know the best way of filtering out undesirable html. I

> understand the best way is to only allow acceptable information, in
> this case all the different html formatting tags.
>
> However, there is a lot of tags that are acceptable. Another approach
> would be to strip out all the bad stuff such as <SCRIPT>, <OBJECT>,
> <APPLET>, and <EMBED> but this is far from ideal because of new tags
> becoming available and so on.
>
> Are there any functions available (for php) that will take a html page

> as input and strip out all nasty stuff? Does anyone have suggestions
> as to how to do this as easy as possible?
>
> Thanks,
>
> Andrew Beverley
>
>
>
>
>

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]