- From: Ahmed Saad <ahmed.lists@gmail.com>
- Date: Mon, 21 Aug 2006 16:01:04 +0300
- To: "Toby Inkster" <tobyink@goddamn.co.uk>
- Cc: www-html@w3.org
Hi Toby,
On 21/08/06, Toby Inkster <tobyink@goddamn.co.uk> wrote:
> The only reliable way to deal with this is server side, by transforming
> '<' to '<' and so forth.
For the sake of clarity, the example I wrote was overly simplistic to
get the idea across. Of course any reasonably coded filter can handle
such example but "real world" XSS vulnerabilities are never that
simple. Javascript code could be well embedded in tag attributes (for
example, <a href="javascript:alert('Hi I'm an XSS, you know?')" .. )
and even inside CSS rules! A CMS might want to allow comments that
contain such tags so it has to go through all forms of mumbo jumbo in
filtering logic. Throw in how borwsers strangely handle content
character encoding and you have a disaster.
And actually in the last part of my original message, I did write that
it's not a complete alternative to a server-side filter but rather as
a more additional line of defense.
Regards,
Ahmed
Received on Monday, 21 August 2006 13:01:17 UTC