- From: Mark Birbeck <mark.birbeck@x-port.net>
- Date: Mon, 21 Aug 2006 14:15:40 +0100
- To: "Ahmed Saad" <ahmed.lists@gmail.com>
- Cc: "Toby Inkster" <tobyink@goddamn.co.uk>, www-html@w3.org
Ahmed/Toby,
Toby wrote:
> > The only reliable way to deal with this is server side, by transforming
> > '<' to '<' and so forth.
And Ahmed replied:
> For the sake of clarity, the example I wrote was overly simplistic to
> get the idea across. Of course any reasonably coded filter can handle
> such example but "real world" XSS vulnerabilities are never that
> simple. Javascript code could be well embedded in tag attributes (for
> example, <a href="javascript:alert('Hi I'm an XSS, you know?')" .. )
> and even inside CSS rules! A CMS might want to allow comments that
> contain such tags so it has to go through all forms of mumbo jumbo in
> filtering logic. Throw in how borwsers strangely handle content
> character encoding and you have a disaster.
>
> And actually in the last part of my original message, I did write that
> it's not a complete alternative to a server-side filter but rather as
> a more additional line of defense.
Exactly...and anyway, Toby's point only moves the problem--even if you
do the filtering server-side, how does the server know when to apply
the filter?
Of course you could hard-code this 'knowledge' into your application,
but it seems pretty wasteful for such a common requirement. The idea
of using something like Ahmed's idea, preferably via @role, is that a
server could detect this and do some pre-processing before the page
was delivered.
Regards,
Mark
--
Mark Birbeck
CEO
x-port.net Ltd.
e: Mark.Birbeck@x-port.net
t: +44 (0) 20 7689 9232
w: http://www.formsPlayer.com/
b: http://internet-apps.blogspot.com/
Download our XForms processor from
http://www.formsPlayer.com/
Received on Monday, 21 August 2006 13:17:32 UTC