On Tuesday 22 January 2002 18:48, Perrin Harkins wrote: > > What techniques do you use to insure that your application is not > > vulnerable? > > Usually I write application so that they do some processing, package up a > chunk of data, and hand it to a template. With this structure, all you > need to do is HTML-escape the data structure before handing it off, or use > a templating tool that defaults to HTML-escaping all printed variables. If > you're doing this, nothing the user sends in will pose a CSS threat.
Yes and no. XSS attacks are possible on old browsers, when the charset is not set (something which is often the case with modperl apps) and when the HTML-escaping bit does not match what certain browsers accept as markup. See http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2000-03/msg00750.html for a discussion of this. I think CGI.pm is safe now, and most modern browsers appear to have fixed that behaviour, but quite a few still remain in circulation and I'm not sure that all templating systems are handling the escaping properly. -- _______________________________________________________________________ Robin Berjon <[EMAIL PROTECTED]> -- CTO k n o w s c a p e : // venture knowledge agency www.knowscape.com ----------------------------------------------------------------------- Critic, n.: A person who boasts himself hard to please because nobody tries to please him.