Re: Preventing cross site scripting

• Original Message ----- From: "Laurian Gridinoc" <laur@grapefruitdesign.com> To: "Tim Greer" <chatmaster@charter.net> Cc: <webappsec@securityfocus.com> Sent: Friday, June 20, 2003 11:12 AM Subject: Re: Preventing cross site scripting

> On Fri, 2003-06-20 at 19:08, Tim Greer wrote:
DOM
> > > tree and control it from there; I'm widely using Tidy to `correct' the
> > > input to XHTML, then by a simple XSL transformation I can filter/alter
> > > whatever elements I need.
> > Can you give a real workd example of a URL link/anchor tag on how you
would
> > allow or disallow it from becoming active based on specific variables
that
> > would prevent an attack that would be a superior method over a regex
> > example, such as I offered?
>
> I can, it take surely more lines; but I was talking more to the markup
or
> > > simple replace methods) pretty uncertain in results and not quite
> > > programming :) -- it's a language, it has a grammar, then use a
parser.
> > I don't see how anything would be better than a regex, but everyone has
> > their preferences. TIMTOWTDI, I'm sure.
>
> I just like (and consider it safe) to treat markup (sometime before) and

Hi,

Please provide some examples of this. I'd like to see your idea(s) at work and how it would solve this problem. I'm honestly not quite clear on the context in which you mean this to solve this problem and I'm interested knowing. I'm not sure I agree right now, so some examples illustrating it would be great--if you'd be so kind. Thanks.

--
Regards,
Tim Greer  chatmaster@charter.net
Server administration, security, programming, consulting.