Clinton Gormley wrote:
> If the input that you are wanting to display is (eg) a surname,
> then certainly, escaping will serve your purposes. However, if
> you are wanting your user to be able to input HTML and then
> view it as HTML, escaping isn't sufficient. The combination is
> required.
That
> This sounds like a good approach, but it's worth noting that XSS is
> fundamentally an escaping problem, not a filtering one. Nitesh Dhanjani
> discusses this a bit here:
>
> http://oreillynet.com/onlamp/blog/2005/10/repeat_after_me_lack_of__outpu.html
>
Yes and no. From the article:
---
Clinton Gormley wrote:
> HTML::StripScripts::Parser has a default deny everything approach,
> and reconstructs the HTML fed to it, so unless it makes sense as
> html, it doesn't get passed through and reconstructed.
This sounds like a good approach, but it's worth noting that XSS is
fundamentally
> HTML::Scrubber is not really broken. The problem is that the
> documentation leads the user to do broken things, as was shown with
> Planet Plagger. It is possible to make a secure HTML::Scrubber config,
> but you need to default deny everything and then only allow a select
> list of tags and
On Fri, Oct 06, 2006 at 07:25:06PM +0200, Clinton Gormley wrote:
> On Fri, 2006-10-06 at 18:48 +0200, Hendrik Van Belleghem wrote:
> > "mock" talked about XSS at this years YAPC::Europe in Birmingham a few
> > weeks ago. He had quite a few examples. His slides are at
> > http://sketchfactory.com/st
On Fri, 2006-10-06 at 18:48 +0200, Hendrik Van Belleghem wrote:
> "mock" talked about XSS at this years YAPC::Europe in Birmingham a few
> weeks ago. He had quite a few examples. His slides are at
> http://sketchfactory.com/static/mvc.pdf (More Vulnerable Code).
> It goes without saying that it wou
"mock" talked about XSS at this years YAPC::Europe in Birmingham a few
weeks ago. He had quite a few examples. His slides are at
http://sketchfactory.com/static/mvc.pdf (More Vulnerable Code).
It goes without saying that it would be a bit unwise to test the URLs
mentioned in the talk.
my 2 cents
