Re: Preventing cross site scripting

On Sat, 2003-06-21 at 00:49, Tim Greer wrote:
> But you can't. You have to look at it as text and determine what characters

You look at it as text just until you separate the markup from the rest, then you treat markup and latter the remaining text content. There is no point in processing the attributes or the text content of an object tag when I want to drop it from start.

Treating the HTML as text (treating it all in the same step - tags and values and content) is what was Yahoo making last year - and the ended up in replacing `evil' stuff not only in the tags but also in the text content.
[The word "medieval" (since it contains the javascript command "eval" is converted in Yahoo mail to "medireview".] http://www.ntk.net/2002/07/12/
http://www.ntk.net/2002/07/12/yahoo.txt
This is also a nice example of how wrong a blacklist filter may be.

> The only way to determine if it's valid and safe, barring a lot of static

The huge whitelist is starting with the HTML DTD which defines what and where is allowed, and the first filtering occurs when Tidy parses the html document according to the standard which is a whitelist check after all.

> would be to simply strip

Tidy won't strip by this, it will just proper escape what isn't allow to remain there in that format resolving almost all of the XSS attacks which are based on breaking the syntax.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

> Only so many HTML tags would allow for someone to do this in reality. The

not any combination, the DTD restricts it by specifying what is allowed.

> Anyway, like you

most are not aware of what is the mail client doing :) and anyway richer text formats may enhance communication.

> so it can get rather involved, unless you simply remove

this is what the parser is doing.

> Even a string with multiple single or double quotes. It's just as effective

these are particular cases, you may support (allow) additional tags by defining them in the DTD; PHP on the other hand uses processing instructions (<?php ... ?>) rather than it's own namespace for tags which I consider it bad as concept.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

> > > Nonetheless, if you develop anything along the lines you

An working example will say more than any code listing, I'll be happy to assemble one from already running stuff.

Cheers,

-- 
Laurian Gridinoc
Chief Developer
GRAPEFRUIT DESIGN

tel/fax: +40.232.233068
tel/fax: +1.646.349.2916
mobile: +40.745.304379
e-mail: laur@gd.ro
www.grapefruitdesign.com
www.gd.ro