Re: [Re: AppSec FAQ at OWASP]

[Omar Ismail <isumai-u () is aist-nara ac jp>]

Sorry for not clearing up my question. When I asked the question I was 
reading a paper about
how to detect and prevent XSS by scanning  HTTP request and response 
messages, so I was assuming
that the escape occurs whenever there is "(" and ")" in the server 
responded HTML pages.

My mistake.


Regards


On 2004.1.30, at 01:19  AM, Sangita Pakala wrote:

> オマル イスマイル <isumai-u () is aist-nara ac jp> wrote:
> > I would like to know that how you deal with the false positive?
> > In the case of " <img src= "javascript: preview(....)> or <img
> > src="javascript:window.close()>..etc..etc..
> > If you escape the "(" and ")" that means you render out the harmless
> > Javascript too.
>
>
> I'm not sure if I've understood the issue, so pls correct me if I'm 
> wrong. You
> would not escape *every* '<' or '(' in the html page. You would only 
> escape
> those which come from user-supplied inputs in the first place. I 
> assume that
> the harmless calls to preview() and window.close() are *not* user 
> supplied
> inputs, but part of the html page template. So, there shouldn't be 
> false
> positives escaping '(' and ')' from content that came from 
> user-supplied
> inputs.
>
> Thanks,
> Sangita.
~~~~~~~~~~~~~~~~00101001~~~~~~~~~~~~~~
Omar ISMAIL
Internet Engineering Lab,
Graduate School of Information Science
Nara Institute of Science and Technology
Nara, Japan, 630-0101

Isumai-u () is aist-nara ac jp

~~~~~~~~~~~~~~~00101001~~~~~~~~~~~~~~~~