W3C home > Mailing lists > Public > www-talk@w3.org > January to February 2000

HTML Security Issue

From: Grahame Grieve <grahame@kestral.com.au>
Date: Fri, 11 Feb 2000 12:24:56 +1100
Message-Id: <4.1.20000211120633.03885760@10.252.1.60>
To: www-talk@w3c.org
Cc: jeffs@kestral.com.au
We are having a bit of a quandary about a security
related issue. We have a standard web application
that allows users to enter information, which is then
redisplayed, possibly to other users. 

We wish to stop users putting scripts into the
text they enter (a security issue receiving press
at the moment, which prompted us to revive this issue)

It seemed to us the best way to stop this was to 
convert any "<" to &lt; as we stored it in our 
database. However this gives a problem when putting
the text entered back into the text box, as we 
cant tell the difference between s showing 
"text &lt; text" for what was originally "text < text"
and the user actualy typing "text &lt;text"

There's several variations that arise with this problem.
For performance reasons we'd rather store the text 
"html-safe" and back convert it when putting it into 
a text box.

Does any one have a good way of handling this problem?

Grahame
Received on Thursday, 10 February 2000 20:33:27 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:24 GMT