WebApp Sec mailing list archives
Re: Preventing cross site scripting
From: Laurian Gridinoc <laur () grapefruitdesign com>
Date: 20 Jun 2003 19:21:00 +0300
The most elegant way to control html input would be to parse it to a DOM tree and control it from there; I'm widely using Tidy to `correct' the input to XHTML, then by a simple XSL transformation I can filter/alter whatever elements I need. You want to drop the `object' element, just write `<xsl:template match="object" />', you want to ignore it (preserve the content it wraps) just write `<xsl:template match="object"><xsl:apply-templates /></xsl:template>', you want to copy everything else: <xsl:template match="*|@*|text()|comment()"> <xsl:copy> <xsl:apply-templates select="*|@*|text()|comment()" /> </xsl:copy> </xsl:template> I consider filtering html as it was a mere string (i.e. using regexp or simple replace methods) pretty uncertain in results and not quite programming :) -- it's a language, it has a grammar, then use a parser. Cheers, -- Laurian Gridinoc Chief Developer GRAPEFRUIT DESIGN tel/fax: +40.232.233068 tel/fax: +1.646.349.2916 mobile: +40.745.304379 e-mail: laur () gd ro www.grapefruitdesign.com www.gd.ro
Current thread:
- Preventing cross site scripting Andrew Beverley (Jun 19)
- Re: Preventing cross site scripting Jeremiah Grossman (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 20)
- Re: Preventing cross site scripting Wojciech Purczynski (Jun 20)
- Re: Preventing cross site scripting Laurian Gridinoc (Jun 20)
- Re: Preventing cross site scripting Tim Greer (Jun 20)
- Re: Preventing cross site scripting Laurian Gridinoc (Jun 20)
- Re: Preventing cross site scripting Tim Greer (Jun 20)
- Re: Preventing cross site scripting Laurian Gridinoc (Jun 21)
- Re: Preventing cross site scripting Tim Greer (Jun 21)
- Message not available
- Re: Preventing cross site scripting Tim Greer (Jun 21)
- Re: Preventing cross site scripting Laurian Gridinoc (Jun 21)
- Re: Preventing cross site scripting Tim Greer (Jun 21)
- Re: Preventing cross site scripting Wojciech Purczynski (Jun 20)
- Re: Preventing cross site scripting Jeremiah Grossman (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 20)