WebApp Sec mailing list archives
Re: Preventing XSS
From: "Tim Greer" <chatmaster () charter net>
Date: Fri, 20 Jun 2003 10:29:48 -0700
----- Original Message ----- From: "Ulf Harnhammar" <metaur () operamail com> To: <webappsec () securityfocus com> Sent: Friday, June 20, 2003 8:54 AM Subject: Preventing XSS
Hello! I see that a lot of people here are interested in preventing Cross-Site
Scripting. Why don't you join the people who are working on filters for it (like my kses in PHP, or someone else's HTML::StripScripts::Parser in Perl), so we end up with really robust open-source implementations that we can point people to?
Talking about filters, didn't the OWASP Project use to work on them as
well? Did they release anything?
Another question: People were discussing a <dead> tag earlier that would
temporarily stop execution of JavaScript in a web page. (Not that the XSS problem is only related to JavaScript, mind you, meta refreshes can be just as bad.) Did someone start implementing that?
Another two pence to the general XSS discussion: it's not just about whole
HTML elements, it's also about fragments. With this PHP code:
echo "<a href=\"$url\">Homepage</a>\n"; you can cause an XSS problem if $url is: http://www.somestupidsite.tk/" onMouseOver="alert(57) Just processing "<" and ">" won't help you. In this type of fragment,
quotes and apostrophes must be handled as well.
See my earlier post about some regex solutions. The last one I posted was about 95% complete and 100% secure. Perhaps needing some work, but secure at least and just an idea--I just typed it off the top of my head as I went along, tested it and posted it. Some things needed to be changed, but that was the idea and how simple it was. Offer up a URL to some of these projects, if you would be so kind, as I am busy working right now and don't want to really search for information--though I imagine it would be simple enough to find any existing projects. Thanks. -- Regards, Tim Greer chatmaster () charter net Server administration, security, programming, consulting.
Current thread:
- Preventing XSS Ulf Harnhammar (Jun 20)
- Re: Preventing XSS Tim Greer (Jun 20)
- <Possible follow-ups>
- Re: Preventing XSS Mark Curphey (Jun 20)