Hosting Provided By

Re: Preventing cross site scripting

From: Tim Greer <chatmaster(at)charter.net>
Date: Fri Jun 20 2003 - 00:03:19 EDT

Original Message ----- From: "Jeremiah Grossman" <jeremiah@whitehatsec.com> To: "Mutellip Ablimit" <mutax@insi.co.jp> Cc: <webappsec@securityfocus.com> Sent: Thursday, June 19, 2003 8:00 PM Subject: RE: Preventing cross site scripting

> certainly, this is probably the best practice no matter the method.

No, not the best method. This is illogical. You can't "check" for bad tags. You can only verify "good" tags. To do otherwise, would be to blindly accept tags--there are no other alternatives to that logic If you only enable good tags, you have control, and you don't have to check for bad tags--since you didn't enable them. otherwise your logic goes into an endless loop and you'll never be able to get past this problem. It will also make it unnecessarily complicated and inefficient, for such a simple task.

--
Regards,
Tim Greer  chatmaster@charter.net
Server administration, security, programming, consulting.

Received on Fri Jun 20 08:30:12 2003

This message: [ Message body ]
Next message: Tim: "Re: Input validation"
In reply to Jeremiah Grossman: "RE: Preventing cross site scripting"
Next in thread: Mutellip Ablimit: "RE: Preventing cross site scripting"
Reply: Mutellip Ablimit: "RE: Preventing cross site scripting"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:52 EDT