Don't bother despairing about microsoft, bask in the smug feeling that your
on the side of Right, and you've planted your banner on the moral high
ground. ;-)
-Original Message-
From: Jon Stevens [mailto:[EMAIL PROTECTED]]
Sent: Sunday, November 25, 2001 9:43 PM
To: [EMAIL PROTECTED]
On Wed, 21 Nov 2001, Danny Angus wrote:
Date: Wed, 21 Nov 2001 07:51:55 -
From: Danny Angus [EMAIL PROTECTED]
Reply-To: Jakarta General List [EMAIL PROTECTED]
To: Jakarta General List [EMAIL PROTECTED]
Subject: RE: Cross site scripting
Craig wrote:
That seems like a lot of extra
on 11/20/01 11:54 PM, Craig R. McClanahan [EMAIL PROTECTED] wrote:
However, Jon is asking for container-based solutions -- I guess that
requiring the use of Strut tags for all your output qualifies. :-)
Craig
Sigh. I am *not* asking for a container based solution.
Because something got
, 21 Nov 2001, Jon Stevens wrote:
Date: Wed, 21 Nov 2001 00:49:36 -0800
From: Jon Stevens [EMAIL PROTECTED]
Reply-To: Jakarta General List [EMAIL PROTECTED]
To: [EMAIL PROTECTED] [EMAIL PROTECTED]
Subject: Re: Cross site scripting
on 11/20/01 11:54 PM, Craig R. McClanahan [EMAIL PROTECTED
Craig wrote:
I don't know of any generic solutions to the getStrippedHtml() or
removeScriptTag() methods you propose - but are they still necesary if you
do the getEscapedHtml() processing on everything?
from my experience no would be the answer.
furthermore simply removing script tags only
On 11/21/01 6:59 AM, Danny Angus [EMAIL PROTECTED] wrote:
Hence my own conviction that the only safe option is no HTML in submissions.
However I'd rather escape it on the way in than the way out to reduce load.
That's something I intuitively agree with, and don't understand the contrary
on 11/21/01 1:26 AM, Craig R. McClanahan [EMAIL PROTECTED] wrote:
I don't know of any generic solutions to the getStrippedHtml() or
removeScriptTag() methods you propose - but are they still necesary if you
do the getEscapedHtml() processing on everything?
Craig
The issue is whether or
Ok, you're right!
d.
-Original Message-
From: Jon Stevens [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, November 21, 2001 5:52 PM
To: [EMAIL PROTECTED]
Subject: Re: Cross site scripting
on 11/21/01 4:09 AM, Geir Magnusson Jr. [EMAIL PROTECTED] wrote:
On 11/21/01 6:59 AM, Danny
for a small API to help her/him do the
dull hard work. (which I'm right behind)
d.
-Original Message-
From: Danny Angus [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, November 21, 2001 6:57 PM
To: Jakarta General List
Subject: RE: Cross site scripting
Ok, you're right!
d
]
-Original Message-
From: Danny Angus [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, November 21, 2001 1:20 PM
To: Jakarta General List
Subject: RE: Cross site scripting
Actually I was busy, what I really wanted to say was that I
agree with every
one of the points you make, but still
What exactly do you mean by cross site scripting and could you give
pointers to the examples your talking about in PHP, Perl and C?
gio
Jon Stevens wrote:
Sadly, it seems that the Java world really hasn't taken the cross site
scripting issues seriously. Only a few projects within Jakarta have
Wow, you fit my first paragraph perfectly.
http://httpd.apache.org/info/css-security/index.html
-jon
on 11/20/01 5:11 AM, Steve Giovannetti [EMAIL PROTECTED] wrote:
What exactly do you mean by cross site scripting and could you give
pointers to the examples your talking about in PHP, Perl
Not Java, but I guess that just Illustrates the point you're making! :-)
I'd be happy to translate some of my perl if you like.
d.
-Original Message-
From: Jon Stevens [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, November 20, 2001 6:44 PM
To: [EMAIL PROTECTED]
Subject: Re: Cross site
on 11/20/01 10:58 AM, Steve Giovannetti [EMAIL PROTECTED] wrote:
In the interest of breaking the chains of my cross site scripting
ignorance, I'm assuming that the offending SCRIPT needs to be blocked
from POST or GET requests made by users to JSP/Servlets on the target
server?
Nope. The
I was trying to look at this from the standpoint of how does the
offending script get on your site in the first place. Let's say you
have a discussion board and you want to make sure no one puts nasty suff
in SCRIPT tags in their postings. But from what I gather is your
interested in
-Original Message-
From: Jon Stevens [mailto:[EMAIL PROTECTED]]
Part of the problem with this security hole is that, for some
reason, it is
hard for a lot of people to even get a basic comprehension of it (even
though it is so well documented). I think that is why a lot of people
Jon,
First off, Bravo! for starting this thread! IMO it's a serious problem,
and people like Charles Schwab are vulnerable to CSS vulnerabilities and as
far as I know, haven't done a thing about it. (For everybody: CSS in this
case is Cross site scripting, not cascading style sheets... we
on 11/20/01 12:43 PM, Steve Giovannetti [EMAIL PROTECTED] wrote:
I was trying to look at this from the standpoint of how does the
offending script get on your site in the first place. Let's say you
have a discussion board and you want to make sure no one puts nasty suff
in SCRIPT tags in
From: Jon Stevens [mailto:[EMAIL PROTECTED]]
Does anyone have code they want to contribute to get this started? How
are
you currently dealing with these issues? What is your favorite way to
escape
things? Do you filter/escape all content or only some content? Etc.
In the world of XSL, I think
19 matches
Mail list logo