From: Alex R. <al...@se...> - 2002-07-09 22:00:19
|
Gabriel Lawrence wrote: >>>Problem is there are a bunch of places besides script tags that can hold >>>scripts.... >> >>But there aren't that many: >> <script> tags >> javascript: pseudo protocol >> <object> tags (and whatever the NN equiv was) >> on* event handlers >> > > Don't forget the stuff with CSS. This is where it gets trickey... CSS (by which I assume you mean Cascading Style Sheets) is no way affects Javascript, nor does it create active/scriptable content. It is formatting for document structure. Can it be used malicously? Perhaps, but it is also trivial to filter. It is not nearly as dangerous as JavaScript/ActiveX, nor does it present any threat that "regular" html content does not. >>I don't think it's that many, nor are they strange. Or am I missing >>something? > > Its one of those things that as you dig in deeper and deeper it gets > troublesome. I'm not trying to discurage folks, but jus saying we've got > to do a fair amount of resarch and thinking before you just jump to > regex's. The issue is there are a bunch of overlappping standards. Good > thing is that there are standards and rules so the idea is just to make > sure you account for all the standards that apply and the > overzealousness of the browsers. If you can think of something valid in addition to the things I listed, cool, but I really think that's there's not a lot to it. Cutting XSS off at the knees isn't hard, just tedious. > A quote from one of the leads at netscape "There is no such thing as bad > html" I'm not looking to force valid markup on the world, just to protect them from malicious uses of said markup. that's a simpler task. -- Alex Russell al...@Se... al...@ne... |