Bugtraq mailing list archives
Re: Cross site scripting: a long term fix
From: Cooper <Cooper () LINUXFAN COM>
Date: Sun, 8 Oct 2000 23:32:28 +0200
Zag Zig wrote:
Applications that expect or require HTML input, such as web forums, should be aware of HTML security problems.
Exactly.
Even for them, character filtering is not a good solution.
Oh?
Most web programmers do not expect to find HTML or a script in simple text input fields and they should not be asked to check for it.
Why should they not be expected to check for it? When you read text it's just that. Text! When the programmer wants to display that text in an HTML document, he should convert that text to HTML by replacing the special characters with their HTML counterpart. There's only a handful of them, so what's the big problem here? Make a simple text2html procedure and you're home free. *THAT* is what should've been present in CGI/ASP/JSP/PHP/whatever from day 0 (and I find it hard to believe it's not there already).
Trying to solve this problem by filtering of 'special characters' on input or output is not the right way to do it. I do not see anything special about any of those characters. This will make the web more complex, not more reliable.
I don't see this as a solution that makes things simpler. What's the difference between: $RANDOM=gen_random(); echo "<TEXT key=$RANDOM>$DB_TEXT_FIELD</TEXT key=$RANDOM>"; and $HTML_OUT=text2html($DB_TEXT_FIELD); echo "<P>$HTML_OUT<P>" Both solutions work just as well, but the impact on current software for the latter solution is *FAR* less than for the first because it requires an extension of the HTML standard... Also note that your solution if implemented today will make your forum only accessible to those lucky few that are willing to update their browser so they can browse sites that use that tag. The rest will not see the posted comments. Is it really worth all that to allow a web programmer to have to think about one less issue? Cooper -- If you can read this you're probably not dead yet. - Johnny The Homicidal Maniac 7 -
Current thread:
- Cross site scripting: a long term fix Zag Zig (Oct 08)
- Re: Cross site scripting: a long term fix Gunther Birznieks (Oct 09)
- Re: Cross site scripting: a long term fix Cooper (Oct 09)
- Re: Cross site scripting: a long term fix David LeBlanc (Oct 09)
- Re: Cross site scripting: a long term fix Tollef Fog Heen (Oct 09)
- Re: Cross site scripting: a long term fix Erik Peterson (Oct 10)
- <Possible follow-ups>
- Re: Cross site scripting: a long term fix Michael Wojcik (Oct 10)
- Big Brother Systems and Network Monitor vulnerability Robert-Andre Croteau (Oct 10)
- Re: Cross site scripting: a long term fix Dmitry Yu. Bolkhovityanov (Oct 10)
- Re: Cross site scripting: a long term fix David M Chess/Watson/IBM (Oct 10)
- Re: Cross site scripting: a long term fix Doug Winter (Oct 11)