W3C home > Mailing lists > Public > www-html@w3.org > August 2006

Re: Security Markup

From: Ahmed Saad <ahmed.lists@gmail.com>
Date: Mon, 21 Aug 2006 16:01:04 +0300
Message-ID: <d334e39d0608210601h2ee23d8bxec22f678434bbe51@mail.gmail.com>
To: "Toby Inkster" <tobyink@goddamn.co.uk>
Cc: www-html@w3.org

Hi Toby,

On 21/08/06, Toby Inkster <tobyink@goddamn.co.uk> wrote:
> The only reliable way to deal with this is server side, by transforming
> '<' to '&lt;' and so forth.

For the sake of clarity, the example I wrote was overly simplistic to
get the idea across. Of course any reasonably coded filter can handle
such example but "real world" XSS vulnerabilities are never that
simple. Javascript code could be well embedded in tag attributes (for
example, <a href="javascript:alert('Hi I'm an XSS, you know?')" .. )
and even inside CSS rules! A CMS might want to allow comments that
contain such tags so it has to go through all forms of mumbo jumbo in
filtering logic. Throw in how borwsers strangely handle content
character encoding  and you have a disaster.

And actually in the last part of my original message, I did write that
it's not a complete alternative to a server-side filter but rather as
a more additional line of defense.

Received on Monday, 21 August 2006 13:01:17 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:06:13 UTC