rapsy wrote:
I am trying to find a best solution to prevent Cross site scripting attacks.
Aren't we all.
The best suggestion I've found is in the first comment on
http://weblogs.java.net/blog/gmurray71/archive/2006/09/preventing_cros.html
Basically the suggestion is to Tagsoup parse into XHTML in order to
filter and allow through only "safe" content. White lists are much
safer than black lists.
That is basically what I've implemented, but it's still not enough, as I
mention in the last comment there. Any suggestions on that "next step"?
Doing this "correctly" means ensuring that my whitelists are accurate
and safe. For example, it seems nice to allow style attributes, but is
that safe? In order to allow css, maybe class attributes should be
allowed, but are id attributes necessary? Don't I then have to worry
about using any of those "ajax without javascript" .js libraries?
Because of those are there specific class attribute values I should
disallow?
It is clear that this filter is insufficient. For example, I want to
allow links, so href must be allowed in <a/> tags, but clearly I don't
want to allow that to be used as a way to trigger javascript so I must
explicitly check the content of this attribute. That brings us right
back to an ad-hoc collection of unescapeHtml/indexOf searches (for
script, eval, etc.). This seems sloppy and unless carefully maintained
likely to lead to XSS vulnerabilities for my users...
Is there an obvious next step that I'm missing? Does anyone have
available a table of "safe" tag/attribute combinations? This seems like
someplace where I'd rather trust someone with more knowledge/experience
than myself. Have only black-hats focused on this problem? Seems ripe
ground for a good open-source (white-hat) tool...
-Dale
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
