*blush*

I put that in as a semi-temporary placeholder to sanitize
against 7-bit ascii encoding attacks, then forgot/got lazy about finding the right way to handle them.  It clearly needs to be improved...

Can you think of a better way to handle it? 
[It] uses malformed ASCII encoding with 7 bits instead of 8... Apache Tomcat is the only known server that transmits in US-ASCII encoding: 
¼script¾alert(¢XSS¢)¼/script¾

Do you think checking for
¼script instead script would work?


Jan Moravec wrote:
Zpráva
I am not a security/browser expert either, so I better ask. Am I exposed to XSS attacks when I _never_ render anything I receive in the URL parameters (or from elsewhere) on the page without XML-escaping it first (e.g. with escapeXml EL function)?
 
I just bumped into a funny case, when the contents of a text field containing text "English description" gets rendered as "English description" (as I said, I always escape everything) ;-))). Obviously it is because the Xss interceptor replaces all "script" substrings with "script" and this is then escaped once more on the page so the result is Icript.
 
Jan
 
 
-----Původní zpráva-----
Od: stripes-users-bounces@lists.sourceforge.net [mailto:stripes-users-bounces@lists.sourceforge.net] za uživatele Jeff F
Odesláno: Friday, July 27, 2007 19:56
Komu: Stripes Users List
Předmět: Re: [Stripes-users] XssFilter & character decomposition problems

If the list of characters predictable and manageable, you can exclude them from normalization. Though I'd suggest testing the new code with the attacks listed at http://ha.ckers.org/xss.html
(Hopefully the bad guys won't read this and come up with the "ýéý-ýéý attack".)

I should also mention that I'm not a security expert, not by a long shot. 
 

    
Jan Moravec wrote:
Also some of the decomposed "hooks" above accented letters are not alligned properly in FF (they are shifted to the left a bit, making the text look a bit weird).
Jan

-----Původní zpráva-----
Od: stripes-users-bounces@lists.sourceforge.net [mailto:stripes-users-bounces@lists.sourceforge.net] za uživatele Jan Moravec
Odesláno: Friday, July 27, 2007 19:05
Komu: 'Stripes Users List'
Předmět: [Stripes-users] XssFilter & character decomposition problems


Hi,

I recently added this filter to my app and since that moment I have been experiencing weird character distortions in FF. The source of the trouble is the decomposition done by this method in the filter:

// "Simplifies input to its simplest form to make encoding tricks more difficult"
	// though it didn't do seem to do anything to hex or html encoded characters... *shrug* maybe for unicode?
	public static String canonicalize( String input )
	{
		String canonical = sun.text.Normalizer.normalize( input, Normalizer.DECOMP, 0 );
		return canonical;
	}

Some of the decomposed characters are displayed by FF as two characters rather then a single character! The problematic characters I encountered are: é and ý. These are displayed as e´ and y´...

Not to say that it is a bug in the XssFilter, it is apparently a bug in FF which makes the use of this filter, in the published form, rather problematic in localized apps. Just to warn potential users...

Cheers,
Jan


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >>  http://get.splunk.com/ _______________________________________________
Stripes-users mailing list
Stripes-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/stripes-users


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Stripes-users mailing list
Stripes-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/stripes-users
  

------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/

_______________________________________________ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users