Actually, I personally wouldn't have a problem with "intersectsoft.com sucks
balls" :-)
- atleast that wouldn't create an endless loop that forces the user to shut
down the browser.
I'll take a look at the code you suggest - and if I use it I will contribute
it.
Thanks,
manny
-----Original Message-----
From: Jon Stevens [mailto:[EMAIL PROTECTED]]
Sent: Friday, June 01, 2001 6:21 PM
To: velocity-user
Subject: Re: Avoiding malicious tags embedded in strings
on 6/1/01 1:09 PM, "Manny Holguin" <[EMAIL PROTECTED]> wrote:
> Hi:
>
> We are developing a web application with Velocity which looks at data in a
> database which is entered via a different application. Recently someone
> entered the following text into a string field in the database:
>
> bla bla...<A onClick='while(true){alert("!Ha")}';>Click Me!
The full summary of this is called the "Cross Site Scripting Bug" and is
well documented as a CERT advisory.
> Needless to say, this caused a big problem when displayed by our velocity
> context object (i.e. $object.field ) and clicked on in our web
application.
>
> Unfortunately, we can't simply strip out any HTML anchor tags because it
is
> valid for users to enter HTML. And we can't disable Javascript because we
> need to use it.
The problem isn't Javascript and it also isn't the Anchor tag.
The problem is that you are trusting the content which is being input into
your application and then re-displayed on a page. One could substitute the
above example with "intersectsoft.com sucks balls" and it would be just as
bad for you. :-)
> While this is not a Velocity-specific problem, I wondered if anyone had
any
> specific thoughts on the best way to handle this without introducing too
> much ugliness or killing performance.
The "right solution �" is too simply do this:
When someone inputs strings which may be re-displayed on your page, all you
need to do is strip out any HTML code (and attributes) that isn't listed in
the "allowed" set of information. This class isn't perfect, but is a good
start for what you need...
<http://joist.tigris.org/source/browse/joist/java/org/joist/util/TagValidato
r.java?rev=1.11&content-type=text/x-cvsweb-markup>
If you would like to clean this up and contribute it to the Velocity project
in the util directory, then that would be GREAT!
-jon
--
"Open source is not available to commercial companies."
-Steve Balmer, CEO Microsoft
<http://www.suntimes.com/output/tech/cst-fin-micro01.html>
