W3C home > Mailing lists > Public > www-talk@w3.org > January to February 2000

Re: HTML Security Issue

From: Edward Thomas <mcai7et2@stud.umist.ac.uk>
Date: Fri, 11 Feb 2000 08:41:22 +0000
Message-ID: <38A3CB32.402532D3@stud.umist.ac.uk>
To: Grahame Grieve <grahame@kestral.com.au>, "www-talk@w3c.org" <www-talk@w3c.org>
Grahame Grieve wrote:
> 
> We are having a bit of a quandary about a security
> related issue. We have a standard web application
> that allows users to enter information, which is then
> redisplayed, possibly to other users.
> 
> We wish to stop users putting scripts into the
> text they enter (a security issue receiving press
> at the moment, which prompted us to revive this issue)
> 
> It seemed to us the best way to stop this was to
> convert any "<" to &lt; as we stored it in our
> database. However this gives a problem when putting
> the text entered back into the text box, as we
> cant tell the difference between s showing
> "text &lt; text" for what was originally "text < text"
> and the user actualy typing "text &lt;text"
> 
> There's several variations that arise with this problem.
> For performance reasons we'd rather store the text
> "html-safe" and back convert it when putting it into
> a text box.
> 
> Does any one have a good way of handling this problem?

Why not also convert '&' characyters entered by the user into '&amp;'
entities, then when it is reconverted, a '<' will be a '<' and a '&lt;'
will be '&lt;'

> 
> Grahame
Received on Friday, 11 February 2000 03:39:17 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:24 GMT