WebApp Sec mailing list archives
Re: IBM Websphere Commerce Server 5.5 XSS detect mode
From: The Crocodile <tcroc () pasture com>
Date: Tue, 11 May 2004 22:31:07 -0400
While I'm sure this is a great technique to do, and certainly a step in the right direction for many applications, the better way to validate data supplied by the client side would be to compare the input against a known set of GOOD data and if there are characters that are not in this set of known good, then reject the request. For example: An input field of a phone number should only accept numbers and dashes, it should not accept any other characters and should reject on any input that contains anything other than numbers or dashes. (or at least give an error to the user). Validation routines ideally should be done on a per field basis. Rejecting data based on it containing certain known bad characters is like firewalls listing all the things that need to be dropped and accepting everything else. It's not really best practice. I hope this makes sense. --TheCrocodile On Mon, 2004-05-10 at 22:37, Jim+Lisa Weiler wrote:
IBM Websphere Commerce server 5.5 has a switch that causes the server to examine all fields in POSTs and all variables in GETs and check the input against a set of strings and characters that are not allowed, and return one of 3 customs web pages if non allowed strings or characters are found. Does anyone have experience with this feature in Websphere Commerce Server? Thanks, Jim
Current thread:
- IBM Websphere Commerce Server 5.5 XSS detect mode Jim+Lisa Weiler (May 11)
- Re: IBM Websphere Commerce Server 5.5 XSS detect mode The Crocodile (May 11)
- Re: IBM Websphere Commerce Server 5.5 XSS detect mode Paul Johnston (May 12)
- Re: IBM Websphere Commerce Server 5.5 XSS detect mode The Crocodile (May 11)