> A universal solution to XSS or almost any security problem is not
> possible.
> This is because you need to concider function aswell as security.

You also need to consider function as well as security. As I pointed
out earlier, something akin to a <SCRIPTEND> tag to permanently disable
all inline script parsing of HTML after a certain point would be
remarkable effective -- essentially, the web server could output its own
trusted content w/ scripting, then all that came after would be
(relatively) safe HTML. By irrevocably removing functionality after a
given point, we're not faced with the state explosion of trying to
define those few options we'll allow to survive within the sandbox that
won't let you dig your way out.

Of course, there become issues with links to remote sites that contain
one of the dozen or so unpatched browser bugs, but that's an entirely
different issue.

One other thing we've needed for some time is for someone to fund work
on Mozilla to extract the script parsing engine and convert it into a
component of some sort that accepts HTML and returns whether script
calls or various tags do or do not show up in said HTML, *as parsed by a
legitimate browser*. As you point out, one can scrub with some
extraordinary fervor and there's still some other way that browsers have
been built to understand content. We've *got* an Open Source browser
here that's been built to function with most of the various contexts the
web has to offer. A last ditch "run post through a server-side browser,
and if it still shows tags/scripts/etc, drop it" function would be useful.

Yours Truly,

    Dan Kaminsky
    DoxPara Research
    http://www.doxpara.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]