- From: Alexey Feldgendler <alexey@feldgendler.ru>
- Date: Mon, 13 Mar 2006 13:50:19 +0600
On Fri, 10 Mar 2006 13:21:36 +0600, Bjoern Hoehrmann <derhoermi at gmx.net> wrote: > This kind of attack is hard to circumvent through use of HTML cleaners >> because id="addtomemories" looks like an innocent attribute, like an >> anchor for navigation. Preventing such attacks by a HTML cleaner would >> require either making a full list of all "forbidden" IDs, class names >> etc, or imposing Draconian rules upon user-supplied content, completely >> disallowing such useful attributes like id and class. > A full list of all forbidden IDs would be as simple as /^acme-/ Indeed. But adding a prefix to each ID and/or class name is not an option for many mature CMS and other web applications. > which would already be necessary to ensure conforming content. Necessary but not sufficient. Duplicate IDs aren't caught by a validating parser, so custom code is needed to enforce many of the requirements. For example, if one was trying to ensure that all IDs are unique, then the ID values within the user-supplied code would have to be checked for duplicates among them, too. -- Opera M2 9.0 TP2 on Debian Linux 2.6.12-1-k7 * Origin: X-Man's Station at SW-Soft, Inc. [ICQ: 115226275] <alexey at feldgendler.ru>
Received on Sunday, 12 March 2006 23:50:19 UTC