Hosting Provided By

Re: Preventing cross site scripting

From: Tim Greer <chatmaster(at)charter.net>
Date: Fri Jun 20 2003 - 12:08:18 EDT

Original Message ----- From: "Laurian Gridinoc" <laur@grapefruitdesign.com> To: "Wojciech Purczynski" <cliph@isec.pl> Cc: "Tim Greer" <chatmaster@charter.net>; <webappsec@securityfocus.com> Sent: Friday, June 20, 2003 9:21 AM Subject: Re: Preventing cross site scripting

> The most elegant way to control html input would be to parse it to a DOM

Can you give a real workd example of a URL link/anchor tag on how you would allow or disallow it from becoming active based on specific variables that would prevent an attack that would be a superior method over a regex example, such as I offered?

>
> I consider filtering html as it was a mere string (i.e. using regexp or

I don't see how anything would be better than a regex, but everyone has their preferences. TIMTOWTDI, I'm sure. You think regex's aren't quite programming? :()

--
Regards,
Tim Greer  chatmaster@charter.net
Server administration, security, programming, consulting.

Received on Fri Jun 20 13:14:23 2003

This message: [ Message body ]
Next message: Ulf Harnhammar: "Preventing XSS"
Previous message: Tim Greer: "Re: Preventing cross site scripting"
In reply to Laurian Gridinoc: "Re: Preventing cross site scripting"
Next in thread: Laurian Gridinoc: "Re: Preventing cross site scripting"
Reply: Laurian Gridinoc: "Re: Preventing cross site scripting"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:53 EDT