Hi Robin, Recently I'm trying to secure my websites against XSS with injection of JS in many ways. Unfortunately these solutions doesn't seem to work properly.
OSWAP basically say to work on whitelists, and (with Ruby) the Sanitize gem is helping giving a first level of protection, stripping *all* malicious tags from params...but it's not enough. Some tries ( I.e starting with %22%20onmouseover) are still painful and at this point I'm writing some code to escape but I am back to blacklisting, which smell like a neverending run. Adding code for stupid params like locale also slow down performance, but is it a secondary problem. d4x Sent from my mobile On 14/lug/2013, at 09:41, Robin Wood <[email protected]> wrote: > Thanks for the suggestions, as long as it gives the impression it is > filtering I'm happy so I'll see which of these is the easiest to drop in. > > Robin > > On Jul 14, 2013 3:47 AM, "Ryan Dewhurst" <[email protected]> wrote: >> The OWASP DOM XSS Prevention Cheat Sheet (if you haven't come across it >> already) lists these: >> >> " >> 1.ESAPI >> 2.Apache Commons String Utils >> 3.Jtidy >> 4.Your company’s custom implementation. >> >> Some work on a black list while others ignore important characters like “<” >> and “>”. ESAPI is one of the few which works on a whitelist and encodes all >> non-alphanumeric characters. It is important to use an encoding library that >> understands which characters can be used to exploit vulnerabilies in their >> respective contexts. Misconceptions abound related to the proper encoding >> that is required. >> " - https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet >> >> I have no experience with any of them, so can't recommend any. >> >> >> On Sun, Jul 7, 2013 at 8:51 PM, Robin Wood <[email protected]> wrote: >>> Can anyone suggest a JS XSS protection library? >>> >>> Please don't preach they don't work its for a special project so even a bad >>> one will do. >>> >>> Robin >>> >>> >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
