On Tue, 2003-03-11 at 02:58, Clinton Gormley wrote: > On Tue, 2003-03-11 at 06:03, Stas Bekman wrote: > > Changes since 0.7 > > > > * prevent cross-site scripting, now HTML-escaping the request field > In Stas' Apache::VMonitor announcement, he mentions changes to prevent > cross site scripting. > > This is a concern for me at the moment, because I'm building a site > which will allow people to submit copy (to be displayed to other > users) and I would like them to be able to use HTML and include links > to other sites (much like slashdot). > > Do any of you have any ideas about good techniques to prevent CSS (and > I don't mean those <div> elements) in this scenario? > > I've read the articles on cert.org > (http://www.cert.org/tech_tips/malicious_code_mitigation.html) and > apache.org > (http://httpd.apache.org/info/css-security/encoding_examples.html) >
There is also a great article by Paul Lindner, titled "Preventing Cross-site Scripting Attacks" which I found very helpful, available at: http://www.perl.com/pub/a/2002/02/20/css.html Thanks, -- Nathan Byrd <[EMAIL PROTECTED]>