Jon, First off, "Bravo!" for starting this thread! IMO it's a serious problem, and people like Charles Schwab are vulnerable to CSS vulnerabilities and as far as I know, haven't done a thing about it. (For everybody: CSS in this case is Cross site scripting, not cascading style sheets... we need a new acronym! :-) ) And Microsoft's solution is to have a programmer URL encode everything before they write it to a web page. I don't care about that either!
I attempted a CSS Filtering mechanism, and it's located in Expresso. The package is: com.jcorporate.expresso.core.security.filters. You can download the package / get Anon CVS access info at http://www.jcorporate.com/ I'd recommend taking a look at CVS because I found some rather embarrassing performance mistakes that I didn't find until after the 4.0 release. [Hadn't gotten a chance to run it through a profiler until then :(... 4.0.1 release will be out soon! :-) ] ---------------------------------------------- As far as where to filter and where not to: The way I implemented it was to have all database fields filtered when the field is read. I figured that by and large the problem with poison parameters only affects other users if it goes to a permanent store. [I mean, you really want to steal the admin's password cookie, not your own, right?] Which is why I chose the filtering route I did, and didn't bother filtering servlet parameters. I supposed cookies would also be a good thing to filter, but only when the app tries to read them. [ie don't filter the cookies for every http request] ---------------------------------------------------------------------- Implementation Notes: - One requirement I had was that I could refilter a string twice and get the same results. Not crap like: &amp;amp; That's why I implemented the parsing as a tree of characters instead of just basic string filtering. -CERT's article about mitigating CSS vulerabilities seems (as far as I could read into it) concerned about having distinct filters for different charactersets. So I encoded it to be able to plug in it's own charactersets... but nobody's contributed any so currently only ISO-8859-1 is implemented. :-( -Ignore ISO-8859-1-eForum... that was just a hack to allow emoticons in their forums. :-) -Although CERT recommended filtering apostrophes, I could never figure out a way to filter it so that browsers would display it properly. Any thoughts here would be greatly appreciated. --------------------------------------------------------------------- Finally, let me know if you guys have any suggestions on the code as well as feel free to look it over, use it, abuse it, etc. <disclaimer> I'm definitely not a Java, security, or i18n guru.... please go easy :-) </disclaimer> -Mike -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
