-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Joe,
Joseph McGranaghan wrote:
> So, tags I'm originally NOT allowing are:
>
> <applet> <script> <embed> <object> <server> <frame> <iframe> <frameset>
> <html> <body>
Okay.
If you're going to do this:
> I'm removing all javascript event attributes ( onclick="alert('xss');" )
...then why do this:
> Removing all javascript escaped quotes: \' and \"
??
You don't allow <script> tags (and anything within them, I imagine), and
you are removing javascript events, so there shouldn't be any javascript
left over... right?
> In any tag left that has a link in it (src|href|action), I'm making sure
> it is NOT relative and NOT to my server: <a> <img> <ilayer> <form>
I guess this would be protecting against a SSS (same-side scripting)
issue? ;)
> Any 'target' attributes, I'm changing to target='_blank', although I
> still think there is a security flaw in here for a popup window trying
> to run code on the originating page.
Note that XHTML forbids the "target" attribute. It's still widely
supported, though.
> I will be checking CSS urls.
Perhaps you should simply disallow <link> elements. You aren't allowing
<body>, so I'm guessing that <head> isn't allowed, which means that
<link> also isn't.
I think you can ignore over-escaping javascript, since you're pretty
much eliminated it in the previous steps.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFF+rQR9CaO5/Lv0PARAqc+AJ0TEj4eTXZIK4JY+DksIbWMmVYtsgCdGgKb
5aXL7MPDFohobgBhKIVBndk=
=M9f9
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
