On Wed, 21 Nov 2001, Danny Angus wrote:
Date: Wed, 21 Nov 2001 07:51:55 -
From: Danny Angus [EMAIL PROTECTED]
Reply-To: Jakarta General List [EMAIL PROTECTED]
To: Jakarta General List [EMAIL PROTECTED]
Subject: RE: Cross site scripting
Craig wrote:
That seems like a lot of extra
on 11/20/01 11:54 PM, Craig R. McClanahan [EMAIL PROTECTED] wrote:
However, Jon is asking for container-based solutions -- I guess that
requiring the use of Strut tags for all your output qualifies. :-)
Craig
Sigh. I am *not* asking for a container based solution.
Because something got
The code that Struts uses (which is probably closest to your proposed
getEscapedHtml() method) is the filter() method in
org.apache.struts.util.ResponseUtils. But the mechanics (change any
occurrence of '', '', '', or '' to the corresponding escape sequence)
is the easy part of the problem. The
Craig wrote:
I don't know of any generic solutions to the getStrippedHtml() or
removeScriptTag() methods you propose - but are they still necesary if you
do the getEscapedHtml() processing on everything?
from my experience no would be the answer.
furthermore simply removing script tags only
On 11/21/01 6:59 AM, Danny Angus [EMAIL PROTECTED] wrote:
Hence my own conviction that the only safe option is no HTML in submissions.
However I'd rather escape it on the way in than the way out to reduce load.
That's something I intuitively agree with, and don't understand the contrary
on 11/21/01 1:26 AM, Craig R. McClanahan [EMAIL PROTECTED] wrote:
I don't know of any generic solutions to the getStrippedHtml() or
removeScriptTag() methods you propose - but are they still necesary if you
do the getEscapedHtml() processing on everything?
Craig
The issue is whether or
Ok, you're right!
d.
-Original Message-
From: Jon Stevens [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, November 21, 2001 5:52 PM
To: [EMAIL PROTECTED]
Subject: Re: Cross site scripting
on 11/21/01 4:09 AM, Geir Magnusson Jr. [EMAIL PROTECTED] wrote:
On 11/21/01 6:59 AM, Danny
Actually I was busy, what I really wanted to say was that I agree with every
one of the points you make, but still stick to my prefrence for escaping on
the way in, but ok lets say only where practical.
I've been involved myself in a project where we had to accept input of
script and prepare
Paul Spencer [EMAIL PROTECTED] writes:
Within the standard Jakarta documentation tools, i.e. jakarta-site2
and anakia, is their a way to build a keyword index?
Lucene could be used to build such a tool.
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail:
Since CSS vulnerabilities are due to the nature of html presentation, it
seems to me that the presentation layer is clearly the place to fix it.
Storing encoded data is a bad idea, IMHO, because:
You've got to somehow ensure that all input data is channeled through
your encoder. Sure, this may
10 matches
Mail list logo