From: Florian H. <fl...@ha...> - 2001-10-25 07:21:19
|
On Wed, Oct 24, 2001 at 05:25:23PM -0500, Gilles Detillieux wrote: > According to Florian Hars: > > Things like STARSLEFT are totally different, they do not use client > > supplied information and so are not vulnerable to cross site scripting > > attacs. WORDS is. > > This is the main point I was trying to get across. Well, actually, no. Otherwise you wouldn't suggest to treat client-supplied and server-supplied information in the same way: > If we changed the behaviour of $(var) to SGML encode everything, > it MIGHT make every exisiting template out there more secure, but it > would almost CERTAINLY make them all unusable. The easiest fix would probably to document the current behaviour appropiately, i.e. put a warning into the description of every template variable that might contain tainted client-supplied information and should never be used unencoded. This will mostly be WORDS (LOGICAL_WORDS and KEYWORDS might already be sanitized, I haven't looked at the source to verify this), and depending on whether you can trust the sites you are indexing the variables that display part of the indexed pages (but these look like they are already transformed to pure text, and so not vulnerable). Yours, Florian. |