Re: Cross-site scripting protection

Josh Chamas Fri, 30 Jan 2004 10:16:07 -0800

Ben Soares wrote:

Hi,

Are there any methods/flags/options available in Apache::ASP to help the developer protect against cross-site scripting?

Any other recommendations in this area?


Any bit of dynamic data ( i.e. data you can't trust ) rendered on your page
should be escaped with

<%= $Server->HTMLEncode($data) %>

You can create a quick alias for that in global.asa like:

# global.asa
sub esc($) { $Server->HTMLEncode(shift) }

and then call

<%= enc($data) %>

or you can turn it into an XMLSubs routine like:

sub my::enc {
  my($args, $html) = @_;
  print $main::Server->HTMLEncode($html);
}

and then use it like:

<my:enc><%= $data %></my:enc>

I am sure others will have other methods they like to use for this... :-)

Regards,

Josh

________________________________________________________________
Josh Chamas, Founder                   phone:925-552-0128
Chamas Enterprises Inc.                http://www.chamas.com
NodeWorks Link Checker                 http://www.nodeworks.com


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Cross-site scripting protection

Reply via email to