RE: Fixing XSS Vulns

["yeesan wong" <yeesan () hotmail com>]

Wilson,

For XSS vuln, it is important for you to encode the meta-characters, such as 
<, and >, because these meta-characters have special meanings in HTML 
scripting.


<br><br><br>&gt;From: &quot;wilsonc&quot; 
&lt;wilsonc () mantech-wva com&gt;<br>&gt;To: 
&lt;webappsec () securityfocus com&gt;<br>&gt;Subject: Fixing XSS Vulns 
<br>&gt;Date: Fri, 12 Aug 2005 09:41:09 -0400<br>&gt;<br>&gt;             
I'm a new developer to a project, and I've found that our web<br>&gt;app is 
wide open for XSS exploits. (thankfully, its not in production 
use).<br>&gt;I'm not a security expert, but I did some googling and found 
that the<br>&gt;standard procedure is basically to &quot;encode&quot; the 
string before displaying it<br>&gt;to the user, so that specific characters 
are transformed into their HTML<br>&gt;'escape sequence'. For example, the 
left paren, '(' would be encoded to be<br>&gt;(<br>&gt;<br>&gt;             
A more experience developer has suggested that instead of<br>&gt;writing a 
function to do this when we display, we write a trigger 
to<br>&gt;encode/filter on capture. I explained to him that it would be 
that<br>&gt;HTML-specific 'escape sequences' would then be stored in the 
database, and<br>&gt;what I learned from googling. He feels confident that 
our data will only be<br>&gt;displayed through a web app, and not through 
any kind of reporting module,<br>&gt;and he feels the trigger to encode text 
is a cleaner implementation.<br>&gt;Assuming your data was only going to be 
displayed back to the user via the<br>&gt;same website that captured the 
input, is there anything wrong with encoding<br>&gt;the string on 
capture?<br>&gt;<br>&gt;--CW<br>&gt;<br>&gt;<br>