Re: Security Markup

Ahmed/Toby,

Toby wrote:
> > The only reliable way to deal with this is server side, by transforming
> > '<' to '&lt;' and so forth.

And Ahmed replied:
> For the sake of clarity, the example I wrote was overly simplistic to
> get the idea across. Of course any reasonably coded filter can handle
> such example but "real world" XSS vulnerabilities are never that
> simple. Javascript code could be well embedded in tag attributes (for
> example, <a href="javascript:alert('Hi I'm an XSS, you know?')" .. )
> and even inside CSS rules! A CMS might want to allow comments that
> contain such tags so it has to go through all forms of mumbo jumbo in
> filtering logic. Throw in how borwsers strangely handle content
> character encoding  and you have a disaster.
>
> And actually in the last part of my original message, I did write that
> it's not a complete alternative to a server-side filter but rather as
> a more additional line of defense.

Exactly...and anyway, Toby's point only moves the problem--even if you
do the filtering server-side, how does the server know when to apply
the filter?

Of course you could hard-code this 'knowledge' into your application,
but it seems pretty wasteful for such a common requirement. The idea
of using something like Ahmed's idea, preferably via @role, is that a
server could detect this and do some pre-processing before the page
was delivered.

Regards,

Mark

-- 
Mark Birbeck
CEO
x-port.net Ltd.

e: Mark.Birbeck@x-port.net
t: +44 (0) 20 7689 9232
w: http://www.formsPlayer.com/
b: http://internet-apps.blogspot.com/

Download our XForms processor from
http://www.formsPlayer.com/

Received on Monday, 21 August 2006 13:17:32 UTC