W3C home > Mailing lists > Public > www-html@w3.org > August 2006

Re: Security Markup

From: Mark Birbeck <mark.birbeck@x-port.net>
Date: Mon, 21 Aug 2006 14:15:40 +0100
Message-ID: <640dd5060608210615m1d299c41ief026d4e94137620@mail.gmail.com>
To: "Ahmed Saad" <ahmed.lists@gmail.com>
Cc: "Toby Inkster" <tobyink@goddamn.co.uk>, www-html@w3.org


Toby wrote:
> > The only reliable way to deal with this is server side, by transforming
> > '<' to '&lt;' and so forth.

And Ahmed replied:
> For the sake of clarity, the example I wrote was overly simplistic to
> get the idea across. Of course any reasonably coded filter can handle
> such example but "real world" XSS vulnerabilities are never that
> simple. Javascript code could be well embedded in tag attributes (for
> example, <a href="javascript:alert('Hi I'm an XSS, you know?')" .. )
> and even inside CSS rules! A CMS might want to allow comments that
> contain such tags so it has to go through all forms of mumbo jumbo in
> filtering logic. Throw in how borwsers strangely handle content
> character encoding  and you have a disaster.
> And actually in the last part of my original message, I did write that
> it's not a complete alternative to a server-side filter but rather as
> a more additional line of defense.

Exactly...and anyway, Toby's point only moves the problem--even if you
do the filtering server-side, how does the server know when to apply
the filter?

Of course you could hard-code this 'knowledge' into your application,
but it seems pretty wasteful for such a common requirement. The idea
of using something like Ahmed's idea, preferably via @role, is that a
server could detect this and do some pre-processing before the page
was delivered.



Mark Birbeck
x-port.net Ltd.

e: Mark.Birbeck@x-port.net
t: +44 (0) 20 7689 9232
w: http://www.formsPlayer.com/
b: http://internet-apps.blogspot.com/

Download our XForms processor from
Received on Monday, 21 August 2006 13:17:32 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:06:13 UTC