On Fri, Feb 6, 2009 at 8:49 AM, Newman, John W <[email protected]> wrote: > "it's a gross oversimplification to assume that the transformation to be > applied to user data is to HTML escape it" > > Can you elaborate on this please? > > If I put <script> into a field and the app html escapes it when it's output > on the next page, there's no issue. Where is the oversimplification?
The problem with applying a filter that "fixes" input is that it makes the unwarranted assumption that the fix should involve the HTML syntax, and not SQL or Javascript or CSS or anything else that might be appropriate. The general problem behind XSS and SQL injection is that of code generation with unknown strings. The application gets user input, and as you say it has no idea what it contains. When that input is used to generate code - for example, in a JSP page to generate HTML - then the application must ensure that the input strings will correctly play the role in the HTML syntax that the application intends. If, however, the input is being used to generate SQL, or Javascript, a similarly-purposed but completely different filter must be applied to the strings. Protecting against XSS and SQL injection (and the lesser-known but still scary log injection: input that includes things like xterm escape sequences that are triggered when a sysop views a log file!) is a vital job, but it's one that has to be done at the point that uncontrolled strings are bound into generated code, not upon input collection. -- Turtle, turtle, on the ground, Pink and shiny, turn around. ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com _______________________________________________ Stripes-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/stripes-users
