Where I work, for any data a client can submit, we perform explicit checking via:
Get incoming %ARGS: (1) Is the data being submitted expected or allowed on this particular handler, and does it exist? (2) If it exists, is it of the proper type? (i.e. integer, float, etc.) (3) Strip out anything not expected, or if free form text expected, strip out all JS, VB Script, etc. (4) If not expected, send to bit bucket ... continue execution flow Yes it's more manual and takes more time, but it has worked extremely well for us. - Jeff ----- Original Message ---- From: brett gardner <[EMAIL PROTECTED]> To: Dave Rolsky <[EMAIL PROTECTED]> Cc: Mason-Users <mason-users@lists.sourceforge.net> Sent: Wednesday, April 11, 2007 3:25:22 PM Subject: Re: [Mason] Cross-site scripting best practices I use a whitelist of tags and attributes for each tag for any input that came through an HTML WYSIWYG editor, eg FCK HTML editor. Dave Rolsky wrote: > On Wed, 11 Apr 2007, Dominic Mitchell wrote: > > >>> I think the person saying it was wrong was implying that a better approach >>> is to use a real HTML parser to remove unwanted tags. Take a look at a >>> module like HTML::Scrubber. >>> >> My best practice is simply to get mason to escape everything, by >> default[1]. Having to explicitly unescape things in order to let >> through an XSS attack is a very good idea, IMHO. >> > > I don't like turning on the default escape flags, but that's just habit, I > guess. It's not a bad idea. I'm pretty careful about escaping everything > except for strings/numbers I know are safe (like ids from the database). > > But generally speaking, you should always escape your output, either by > default or explicitly. > > > -dave > > /*=================================================== > VegGuide.Org www.BookIRead.com > Your guide to all that's veg. My book blog > ===================================================*/ > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Mason-users mailing list > Mason-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/mason-users > > > ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Mason-users mailing list Mason-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mason-users ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Mason-users mailing list Mason-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mason-users
