Bugtraq mailing list archives

Re: Cross site scripting: a long term fix

From: Tollef Fog Heen <tollef () ADD NO>
Date: Mon, 9 Oct 2000 11:07:00 +0200

* Zag Zig

| 1.6. Proposal to add a safe quoting tag to HTML
|
| The HTMLEncode solution above is better than filtering.
| I propose that a solution for quoting markup should be built into
| the HTML specification and therefore made available to all servers
| for use with both static and dynamically generated text.

Which is has been, but was then deprecated and is now obsoleted, from
html-2.1e (from the IETF).

<!ENTITY % literal "CDATA"
        -- historical, non-conforming parsing mode where
           the only markup signal is the end tag
           in full
        -->

<!ELEMENT (XMP|LISTING) - -  %literal>

It didn't have the same options as yours (adding stuff to the ending
tags etc), and caused problems.

It is probably better to add a tag which means something like 'get
this URI, insert it here, but treat it like mime/type (or let the
server which returns it decide)'.

IMHO, my 0.02$

--

Tollef Fog Heen
Unix _IS_ user friendly... It's just selective about who its friends are.

Current thread:

Cross site scripting: a long term fix Zag Zig (Oct 08)
- Re: Cross site scripting: a long term fix Gunther Birznieks (Oct 09)
- Re: Cross site scripting: a long term fix Cooper (Oct 09)
- Re: Cross site scripting: a long term fix David LeBlanc (Oct 09)
- Re: Cross site scripting: a long term fix Tollef Fog Heen (Oct 09)
  - Re: Cross site scripting: a long term fix Erik Peterson (Oct 10)
- <Possible follow-ups>
- Re: Cross site scripting: a long term fix Michael Wojcik (Oct 10)
  - Big Brother Systems and Network Monitor vulnerability Robert-Andre Croteau (Oct 10)
- Re: Cross site scripting: a long term fix Dmitry Yu. Bolkhovityanov (Oct 10)
- Re: Cross site scripting: a long term fix David M Chess/Watson/IBM (Oct 10)
- Re: Cross site scripting: a long term fix Doug Winter (Oct 11)