Hosting Provided By

RE: Preventing cross site scripting

From: Michael Howard <mikehow(at)microsoft.com>
Date: Fri Jun 20 2003 - 00:19:34 EDT

You can never know all the 'unacceptible' tags and the escape versions etc.. Why not simple define the list of 'acceptible' tags, look for those, and anything you don't like you whitespace. Simple and safe! The worst your gonna get is an annoyed customer that thinks you screwed them on what they consider is valid. Better that than a bunch of REALLY annoyed customers who think your stuff is unsafe!

Cheers, Michael
Writing Secure Code 2nd Edition
http://www.microsoft.com/mspress/books/5957.asp

-----Original Message-----
From: David Cameron [mailto:dcameron@itis-now.com] Sent: Thursday, June 19, 2003 6:51 PM
To: Andrew Beverley; webappsec@securityfocus.com Subject: RE: Preventing cross site scripting

Create a list of unacceptable tags in an array (eg applet, embed), loop through the array and generate a regexpr based on the array, something of the form:
<(applet)|(embed).?> and replace all instances with "".

Do the same for any possible closing tags ie: </(applet)|(embed)> and replace all instances with "".

BTW the RegExpr may be wrong, I'm not all that hot on RegExprs, but you get the idea.

regards
David Cameron
nOw.b2b
dcameron@itis-now.com

> -----Original Message-----

Do you need help?

> the browser.

> understand the best way is to only allow acceptable information, in

> as input and strip out all nasty stuff? Does anyone have suggestions
Received on Fri Jun 20 08:32:58 2003

This message: [ Message body ]
Next message: Mutellip Ablimit: "RE: Preventing cross site scripting"
Previous message: Tim: "Re: Input validation"
Maybe in reply to: Andrew Beverley: "Preventing cross site scripting"
In reply to David Cameron: "RE: Preventing cross site scripting"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:52 EDT