I would recommend reading OWASP.org regarding this stuff. Their best
practices on XSS as well as SQL injection are very good.
http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
-- Rick
On Wed, Oct 27, 2010 at 3:43 PM, Nikolaos Giannopoulos <
nikol...@brightminds.org> wrote:
> Hi,
>
> Freddy's book is awesome and has a Security chapter that covers XSS
> though it appears to me to take an inverted view on XSS attacks.
>
> Here is what I think:
>
> 1) All user data should be considered unsafe and "sanitized" before
> being processed i.e. I don't want say <script> to be stored as-is in any
> field in the DB vs. when displaying the data make sure to filter the <
> and > for < and >
>
> 2) There needs to be an attempt to handle other things like converting '
> to \' and \ to \\ and some SQL things like DELETE FROM and on and on...
>
> 3) Also content is typically (at least in our case) viewed far more
> often than it is stored... so it would be more efficient to do
> processing on the front-end vs. the back-end
>
> With all that said, I wonder if an appropriate solution would be to
> build a XssStringTypeConverter that encapsulates this filtering... and
> then through the @Validate do something like:
>
> @Validate(field = "someField", converter=XssStringTypeConverter.class)
>
> Of course this can get tedious but as we are using @StrictBinding to
> force only fields in @Validate to be injected this doesn't seem that bad.
>
> What do others think of this solution? What other solutions are being
> used? Perhaps this should be built-in to Stripes.
>
> Thought??? Comments??? All welcome and appreciated.
>
> --Nikolaos
>
>
> ------------------------------------------------------------------------------
> Nokia and AT&T present the 2010 Calling All Innovators-North America
> contest
> Create new apps & games for the Nokia N8 for consumers in U.S. and Canada
> $10 million total in prizes - $4M cash, 500 devices, nearly $6M in
> marketing
> Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
> http://p.sf.net/sfu/nokia-dev2dev
> _______________________________________________
> Stripes-users mailing list
> Stripes-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/stripes-users
>
------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Stripes-users mailing list
Stripes-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/stripes-users
