09 (horizontal tab), 10 (newline) and 13 (carriage return)
<IMG SRC="jav&#x09;ascript:alert('XSS');">
<IMG SRC="jav&#x0A;ascript:alert('XSS');">
<IMG SRC="jav&#x0D;ascript:alert('XSS');">
these three can work in xss attack
do you provide the remove function?
thanks!


2006/6/22, Ivan Ristic <ivan.ristic@gmail.com>:
On 6/22/06, j liu <normliu@gmail.com> wrote:
>
> sample£ºxss attacks
> <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
> UTF-8 Unicode encode£º
> <IMG
> SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
> hex encode£º
> <IMG
> SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
> and there are other encoding method

All of the above can be countered using the facilities available in
ModSecurity 2.0. Here's the complete list of transformational
functions:

lowercase
replaceNulls
removeNulls
compressWhitespace
removeWhitespace
replaceComments
urlDecode
urlEncode
urlDecodeUni
base64Encode
base64Decode
md5
sha1
hexDecode
hexEncode
htmlEntityDecode
escapeSeqDecode
normalisePath
normalisePathWin

As I said earlier, you can apply any of these as many times as you
want in any order that you want. You can even have ModSecurity execute
a rule after each change to the input data (the so-called multiMatch
feature).

--
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall



--
------------------------------------------------
LIUJ