- From: Ahmed Saad <ahmed.lists@gmail.com>
- Date: Mon, 21 Aug 2006 16:01:04 +0300
- To: "Toby Inkster" <tobyink@goddamn.co.uk>
- Cc: www-html@w3.org
Hi Toby, On 21/08/06, Toby Inkster <tobyink@goddamn.co.uk> wrote: > The only reliable way to deal with this is server side, by transforming > '<' to '<' and so forth. For the sake of clarity, the example I wrote was overly simplistic to get the idea across. Of course any reasonably coded filter can handle such example but "real world" XSS vulnerabilities are never that simple. Javascript code could be well embedded in tag attributes (for example, <a href="javascript:alert('Hi I'm an XSS, you know?')" .. ) and even inside CSS rules! A CMS might want to allow comments that contain such tags so it has to go through all forms of mumbo jumbo in filtering logic. Throw in how borwsers strangely handle content character encoding and you have a disaster. And actually in the last part of my original message, I did write that it's not a complete alternative to a server-side filter but rather as a more additional line of defense. Regards, Ahmed
Received on Monday, 21 August 2006 13:01:17 UTC