[Pas-dev] css (security)
Status: Beta
Brought to you by:
mortis
Menu
▾
▴
[Pas-dev] css (security)
|
From: Mental <me...@ne...> - 2002-05-17 15:31:20
|
Hello. What do we think of dropping tags like SCRIPT,et all from the request inside the RequestHandler? Sure, each page should be doing input validation, but if we prune off malicious code at the source, we win. It could even be configurable. It would make things like this impossible on every page (this should be one long line): http://www.neverlight.com/pas/css.psp?foo=%3Cscript%3Ealert('oops')%3C/script%3E Since I never embed javascript, iframe or any html tags really in query parameters I was considering a couple different aproaches. URL encode all angle brackets. That would make the litteral script print in the page when it retrieves the query parameter. Look for all the malicious tags in the cert advisory re: css from a year or so ago and remove them. That would still let you embed image tags and what not (like on a discussion board), but would filter out 'known malicious' tags. -- Mental (Me...@Ne...) |
