WebApp Sec mailing list archives
Re: [Re: AppSec FAQ at OWASP]
From: Omar Ismail <isumai-u () is aist-nara ac jp>
Date: Fri, 30 Jan 2004 03:13:54 +0900
Sorry for not clearing up my question. When I asked the question I was reading a paper about how to detect and prevent XSS by scanning HTTP request and response messages, so I was assuming that the escape occurs whenever there is "(" and ")" in the server responded HTML pages.
My mistake. Regards On 2004.1.30, at 01:19 AM, Sangita Pakala wrote:
オマル イスマイル <isumai-u () is aist-nara ac jp> wrote:I would like to know that how you deal with the false positive? In the case of " <img src= "javascript: preview(....)> or <img src="javascript:window.close()>..etc..etc.. If you escape the "(" and ")" that means you render out the harmless Javascript too.I'm not sure if I've understood the issue, so pls correct me if I'm wrong. You would not escape *every* '<' or '(' in the html page. You would only escape those which come from user-supplied inputs in the first place. I assume that the harmless calls to preview() and window.close() are *not* user supplied inputs, but part of the html page template. So, there shouldn't be false positives escaping '(' and ')' from content that came from user-suppliedinputs. Thanks, Sangita.
~~~~~~~~~~~~~~~~00101001~~~~~~~~~~~~~~ Omar ISMAIL Internet Engineering Lab, Graduate School of Information Science Nara Institute of Science and Technology Nara, Japan, 630-0101 Isumai-u () is aist-nara ac jp ~~~~~~~~~~~~~~~00101001~~~~~~~~~~~~~~~~
Current thread:
- Re: [Re: AppSec FAQ at OWASP] Sangita Pakala (Jan 29)
- Re: [Re: AppSec FAQ at OWASP] Omar Ismail (Jan 29)
- <Possible follow-ups>
- Re: [Re: AppSec FAQ at OWASP] Rohyt Belani (Jan 29)
- Re: [Re: AppSec FAQ at OWASP] Philippe P. (Jan 30)
- Re: [Re: AppSec FAQ at OWASP] Philippe Prados (Jan 30)
- Re: [Re: AppSec FAQ at OWASP] Ulf Härnhammar (Jan 30)
- Re: [Re: AppSec FAQ at OWASP] Omarjan Ismail (Jan 29)
- Re: [Re: AppSec FAQ at OWASP] Rohyt Belani (Jan 30)