From: Gabriel L. <ga...@bu...> - 2002-07-09 19:07:48
|
On Tue, 2002-07-09 at 10:13, Alex Russell wrote: > What for? Why would we _ever_ need to do such a thing? You trust some > intput, you don't trust some other input. If something is tainted, then > strip out all semblence of <script> tags. We don't have to handle badly > nested tag sets, etc... we just have to canonicalize the data then > clobber the beginning tag, end of story. Problem is there are a bunch of places besides script tags that can hold scripts.... So to do this right you really do need to be able to parse things. Now, I agree with Alex, that we don't have to be as friendly as Nathan suggests. That example HTML is really totally busted... I think Alex is right, that we should try and canonicalize it into what we think is good html (and take a conservative approach) so that we can protect from different kinds of attacks. > > > Cross-site scripting is a huge issue, and > > deserves to be handled in great detail. > > agreed, I'm just not quite so sure it's as hard a problem as you're > making it out to be. well, yes and no. It really is a hard problem, because of all the strange places scripting can show up. -=gabe |