Re: Preventing cross site scripting

[Wojciech Purczynski <cliph () isec pl>]

> To prevent CSS attacks, it is the most simple and trivial thing; Simply
> parse the input. Change all < and > tags to &lt; and &gt; for text/HTML
> display of the tag itself without it parsing it. Then, like you stated, and
> is the most basic approach to security for form input, etc., is to put them
> back together with *only* the HTML tags you want, such as &lt;br&gt; would
> then be put back together as a line break tag <br> You can do this easily
> for almost all HTML tags. For tags that could potentially be used to input
> things such as anchor tags for images or hot links, etc. simply control
> what's put back together.

I like your idea. :) However, it would break some HTML pages that already
contains some examples of HTML code etc.

Perhaps it should be done in three steps:

1. Change all < > to &foolt; and &foogt; corresponding
2. Put back all allowable HTML tags i.e. &foolt;BODY&foogt; 
   (using regex or sth else to filter out unwanted attributes)
3. Change all remaining &foolt; to &lt; and &foogt; to &gt;

Cheers,
wp

-- 
Wojciech Purczynski
iSEC Security Research
http://isec.pl/