Re: Cross site scripting issue

Fri, 16 Mar 2007 07:27:15 -0800 

Thanks for the feedback Chris.



Christopher Schultz wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joe,

Joseph McGranaghan wrote:

So, tags I'm originally NOT allowing are:

<applet> <script> <embed> <object> <server> <frame> <iframe> <frameset>
<html> <body>


Okay.

If you're going to do this:


I'm removing all javascript event attributes (   onclick="alert('xss');"  )


...then why do this:


Removing all javascript escaped quotes:    \'  and   \"


There are ALL KINDS of ways to trick parsers and slip in javascript code.
Stripping these could very well make it 'not worth the effort' for a hacker.
Better safe than sorry.
Also, I read that myspace strips them :)


??

You don't allow <script> tags (and anything within them, I imagine), and
you are removing javascript events, so there shouldn't be any javascript
left over... right?


In any tag left that has a link in it (src|href|action), I'm making sure
it is NOT relative and NOT to my server:  <a> <img> <ilayer> <form>


I guess this would be protecting against a SSS (same-side scripting)
issue? ;)


Exactly. A precaution, just so I know.

Any 'target' attributes, I'm changing to target='_blank', although I
still think there is a security flaw in here for a popup window trying
to run code on the originating page.


Note that XHTML forbids the "target" attribute. It's still widely
supported, though.


I will be checking CSS urls.


Perhaps you should simply disallow <link> elements. You aren't allowing
<body>, so I'm guessing that <head> isn't allowed, which means that
<link> also isn't.


Thanks, cause I missed those in round one.

CSS urls can also be in 'style' attributes.

I think you can ignore over-escaping javascript, since you're pretty
much eliminated it in the previous steps.

- -chris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF+rQR9CaO5/Lv0PARAqc+AJ0TEj4eTXZIK4JY+DksIbWMmVYtsgCdGgKb
5aXL7MPDFohobgBhKIVBndk=
=M9f9
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to