On Wed, 11 Aug 2004 14:45:05 +0100, James Adams <[EMAIL PROTECTED]> wrote:
> Hello all,
>
> I'm in the process of trying to secure my struts application against "Cross site
> scripting", "SQL injection" style attacks.
>
> One of the things I'm doing to prevent this is trying to restrict special characters
> (;.<>(){}...etc) getting beyond the validator.
>
Just thinking out loud for a moment ...
Cross site scripting attacks don't happen when sensitive characters
are inside an *input* field. The problem comes if you *output* the
data without filtering for them. That's why the Struts <bean:write>
tag, for example, filters "<", ">", "&", and ";" for you unless you
explicitly tell it not to, so if you are diligent about how you copy
your database data to output pages, you can safely accept these kinds
of character in input.
I notice that Kishore Senji (one of the other respondents in this
thread) is using Google's Gmail, just as I am at the moment. Since
this is a web application, it's a good thing that Googe isn't
disallowing the magic characters on input into a textarea, or else we
would not be able to participate in this conversation :-).
Is filtering input really the appropriate strategy for dealing with
this problem? If successful it will certainly help, but the approach
strikes me as overly restrictive for most application needs.
Craig
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
