In the interest of breaking the chains of my cross site scripting ignorance, I'm assuming that the offending SCRIPT needs to be blocked from POST or GET requests made by users to JSP/Servlets on the target server? Wouldn't an input filter on the servlet just do the trick?
gio Jon Stevens wrote: >Wow, you fit my first paragraph perfectly. > >http://httpd.apache.org/info/css-security/index.html > >-jon > > >on 11/20/01 5:11 AM, "Steve Giovannetti" <[EMAIL PROTECTED]> wrote: > >>What exactly do you mean by "cross site scripting" and could you give >>pointers to the examples your talking about in PHP, Perl and C? >> >>gio >> >>Jon Stevens wrote: >> >>>Sadly, it seems that the Java world really hasn't taken the cross site >>>scripting issues seriously. Only a few projects within Jakarta have really >>>made an effort to fix bugs and that was after they were pointed out by >>>others. It also seems that most of the examples are for other languages >>>(PHP, Perl, C) and not Java and that they have made simple methods available >>>to resolve the issues. >>> >>>It would be really cool to start a project under Jakarta (ie: in commons) >>>that addresses the issues of the cross site scripting bugs in a re-usable >>>fashion so that more people will be aware of the issues surrounding this >>>important discovery. >>> >>>Does anyone have code they want to contribute to get this started? How are >>>you currently dealing with these issues? What is your favorite way to escape >>>things? Do you filter/escape all content or only some content? Etc. >>> >>>Thanks, >>> >>>-jon >>> > > >-- >To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> >For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
