Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > webappsec > 03 > 060850.html (Request Expert securityfocus.com Support)

RE: Preventing cross site scripting

From: Jeremiah Grossman <jeremiah(at)whitehatsec.com>
Date: Thu Jun 19 2003 - 22:44:19 EDT

This post reminded me of another potential gotcha in HTML/JS filtering. All filtering activities should actually replace data with something, not just remove the data altogether.

Example, the following input string:

<BAD<BADTAG>TAG></BAD</BADTAG>TAG>

would result in the following if a remove system were in place:

<BADTAG></BADTAG>

Which could be harmful if rendered.
However, if the tag were to be replaced:

<BAD<X>TAG></BAD</X>TAG>

Do you need help?X

We get a tad more html rendering safety.

this filtering stuff gets fun eh.

Regards,

Jer-

On Thu, 2003-06-19 at 19:16, Mutallip Ablimit wrote:
> Yes, replace all of the unacceptable tags with "", it will work fine. 

-- 




Jeremiah Grossman
Chief Executive Officer
WhiteHat Security, Inc.
Tel: 408.492.1817

===========================================================
 This message and any files transmitted with it, may 
 contain confidential and privileged information. This 
 message is intended solely for the use	of the individual 
 or entity to whom it is addressed. If the message has 
 been sent to you in error, please reply to inform the 
 sender of the error and then delete this message. You 
 are notified that reliance on, disclosure of, 
 distribution or copying of this message is prohibited.			
 										
 WhiteHat Security, Inc.				
===========================================================
Received on Thu Jun 19 22:51:22 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:52 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library