Bugtraq mailing list archives
Re: Cross site scripting: a long term fix
From: Tollef Fog Heen <tollef () ADD NO>
Date: Mon, 9 Oct 2000 11:07:00 +0200
* Zag Zig | 1.6. Proposal to add a safe quoting tag to HTML | | The HTMLEncode solution above is better than filtering. | I propose that a solution for quoting markup should be built into | the HTML specification and therefore made available to all servers | for use with both static and dynamically generated text. Which is has been, but was then deprecated and is now obsoleted, from html-2.1e (from the IETF). <!ENTITY % literal "CDATA" -- historical, non-conforming parsing mode where the only markup signal is the end tag in full --> <!ELEMENT (XMP|LISTING) - - %literal> It didn't have the same options as yours (adding stuff to the ending tags etc), and caused problems. It is probably better to add a tag which means something like 'get this URI, insert it here, but treat it like mime/type (or let the server which returns it decide)'. IMHO, my 0.02$ -- Tollef Fog Heen Unix _IS_ user friendly... It's just selective about who its friends are.
Current thread:
- Cross site scripting: a long term fix Zag Zig (Oct 08)
- Re: Cross site scripting: a long term fix Gunther Birznieks (Oct 09)
- Re: Cross site scripting: a long term fix Cooper (Oct 09)
- Re: Cross site scripting: a long term fix David LeBlanc (Oct 09)
- Re: Cross site scripting: a long term fix Tollef Fog Heen (Oct 09)
- Re: Cross site scripting: a long term fix Erik Peterson (Oct 10)
- <Possible follow-ups>
- Re: Cross site scripting: a long term fix Michael Wojcik (Oct 10)
- Big Brother Systems and Network Monitor vulnerability Robert-Andre Croteau (Oct 10)
- Re: Cross site scripting: a long term fix Dmitry Yu. Bolkhovityanov (Oct 10)
- Re: Cross site scripting: a long term fix David M Chess/Watson/IBM (Oct 10)
- Re: Cross site scripting: a long term fix Doug Winter (Oct 11)