Could somebody please explain to my how to
test/secure your site from CSS vulnerabilities?
I understood from Cert's and Apache's explanations
that the best thing to do is to encode the output of the
dynamic parts of your site or else install a filter that
monitors your web servers output. But why encode,
did I understand it correctly that this way the output is
interpreted by the browser as text and not as a tag??
And more important how and when do you encode
your output?
And does anybody know a (opensource) filter for
apache that eliminates malicious strings or is the
whole CSS security issue to site specific for this?
Jeroen Beerstra
