Preventing XSS

Hello!

I see that a lot of people here are interested in preventing Cross-Site Scripting. Why don't you join the people who are working on filters for it (like my kses in PHP, or someone else's HTML::StripScripts::Parser in Perl), so we end up with really robust open-source implementations that we can point people to?

Talking about filters, didn't the OWASP Project use to work on them as well? Did they release anything?

Another question: People were discussing a <dead> tag earlier that would temporarily stop execution of JavaScript in a web page. (Not that the XSS problem is only related to JavaScript, mind you, meta refreshes can be just as bad.) Did someone start implementing that?

Another two pence to the general XSS discussion: it's not just about whole HTML elements, it's also about fragments. With this PHP code:

echo "<a href=\"$url\">Homepage</a>\n";

you can cause an XSS problem if $url is:

http://www.somestupidsite.tk/" onMouseOver="alert(57)

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Just processing "<" and ">" won't help you. In this type of fragment, quotes and apostrophes must be handled as well.

// Ulf Harnhammar

   kses - PHP HTML filter
   http://sourceforge.net/projects/kses

-- 
____________________________________________
http://www.operamail.com
Get OperaMail Premium today - USD 29.99/year


Powered by Outblaze