Re: Preventing XSS

["Tim Greer" <chatmaster () charter net>]

----- Original Message -----
From: "Ulf Harnhammar" <metaur () operamail com>
To: <webappsec () securityfocus com>
Sent: Friday, June 20, 2003 8:54 AM
Subject: Preventing XSS


> Hello!
>
> I see that a lot of people here are interested in preventing Cross-Site
Scripting. Why don't you join the people who are working on filters for it
(like my kses in PHP, or someone else's HTML::StripScripts::Parser in Perl),
so we end up with really robust open-source implementations that we can
point people to?
> Talking about filters, didn't the OWASP Project use to work on them as
well? Did they release anything?
> Another question: People were discussing a <dead> tag earlier that would
temporarily stop execution of JavaScript in a web page. (Not that the XSS
problem is only related to JavaScript, mind you, meta refreshes can be just
as bad.) Did someone start implementing that?
> Another two pence to the general XSS discussion: it's not just about whole
HTML elements, it's also about fragments. With this PHP code:
> echo "<a href=\"$url\">Homepage</a>\n";
>
> you can cause an XSS problem if $url is:
>
> http://www.somestupidsite.tk/"; onMouseOver="alert(57)
>
> Just processing "<" and ">" won't help you. In this type of fragment,
quotes and apostrophes must be handled as well.
>

See my earlier post about some regex solutions. The last one I posted was
about 95% complete and 100% secure. Perhaps needing some work, but secure at
least and just an idea--I just typed it off the top of my head as I went
along, tested it and posted it. Some things needed to be changed, but that
was the idea and how simple it was. Offer up a URL to some of these
projects, if you would be so kind, as I am busy working right now and don't
want to really search for information--though I imagine it would be simple
enough to find any existing projects. Thanks.
--
Regards,
Tim Greer  chatmaster () charter net
Server administration, security, programming, consulting.