- From: Mark Birbeck <mark.birbeck@x-port.net>
- Date: Mon, 21 Aug 2006 14:15:40 +0100
- To: "Ahmed Saad" <ahmed.lists@gmail.com>
- Cc: "Toby Inkster" <tobyink@goddamn.co.uk>, www-html@w3.org
Ahmed/Toby, Toby wrote: > > The only reliable way to deal with this is server side, by transforming > > '<' to '<' and so forth. And Ahmed replied: > For the sake of clarity, the example I wrote was overly simplistic to > get the idea across. Of course any reasonably coded filter can handle > such example but "real world" XSS vulnerabilities are never that > simple. Javascript code could be well embedded in tag attributes (for > example, <a href="javascript:alert('Hi I'm an XSS, you know?')" .. ) > and even inside CSS rules! A CMS might want to allow comments that > contain such tags so it has to go through all forms of mumbo jumbo in > filtering logic. Throw in how borwsers strangely handle content > character encoding and you have a disaster. > > And actually in the last part of my original message, I did write that > it's not a complete alternative to a server-side filter but rather as > a more additional line of defense. Exactly...and anyway, Toby's point only moves the problem--even if you do the filtering server-side, how does the server know when to apply the filter? Of course you could hard-code this 'knowledge' into your application, but it seems pretty wasteful for such a common requirement. The idea of using something like Ahmed's idea, preferably via @role, is that a server could detect this and do some pre-processing before the page was delivered. Regards, Mark -- Mark Birbeck CEO x-port.net Ltd. e: Mark.Birbeck@x-port.net t: +44 (0) 20 7689 9232 w: http://www.formsPlayer.com/ b: http://internet-apps.blogspot.com/ Download our XForms processor from http://www.formsPlayer.com/
Received on Monday, 21 August 2006 13:17:32 UTC