Menu
▾
▴
Re: [Owasp-input-api-developers] I have an immediate application for the filters!
|
From: Alex R. <al...@ne...> - 2002-07-09 20:04:56
|
Gabriel Lawrence wrote: > Problem is there are a bunch of places besides script tags that can hold > scripts.... But there aren't that many: <script> tags javascript: pseudo protocol <object> tags (and whatever the NN equiv was) on* event handlers Am I missing any? If you block recognition by the browser of these execution contexts, then you've won. You don't have to do any strange HTML parsing, just straightforward regexp work. > So to do this right you really do need to be able to parse > things. Now, I agree with Alex, that we don't have to be as friendly as > Nathan suggests. That example HTML is really totally busted... I think > Alex is right, that we should try and canonicalize it into what we think > is good html (and take a conservative approach) so that we can protect > from different kinds of attacks. I don't think we even need to worry about tag closure. If the browser can't detect the beginning of a script block, then we shouldn't worry about it. Simply make sure things are in the right charset. > >>>Cross-site scripting is a huge issue, and >>>deserves to be handled in great detail. >> >>agreed, I'm just not quite so sure it's as hard a problem as you're >>making it out to be. > > well, yes and no. It really is a hard problem, because of all the > strange places scripting can show up. I don't think it's that many, nor are they strange. Or am I missing something? -- Alex Russell al...@Se... al...@ne... |
