Most message boards filter out JavaScript by default. About referer
checking, there are many clients which either do not send, or give the user
the option to not send, HTTP_REFERERs. Therefore, it wouldn't be a good move
to rely solely on checking the referer. However, would it be safe to check
that if a referer is present, it contains the sites' domain name, but if it
isn't, it most likely wouldn't have been referenced in an <img> tag or
submitted via JavaScript?
--
WhiteCrown Networks - Web Application Security
www.whitecrown.net - [EMAIL PROTECTED]
______________________________
/ Chris Lambert - [EMAIL PROTECTED]
|-> ICQ #: 16435685 - AIM: ClipperChris
`-> Cell: (401) 743-2786 - http://sms.clambert.org/
----- Original Message -----
From: Shafik Yaghmour <[EMAIL PROTECTED]>
| Yeah this is kind'a old if you have been developing sites for a
| while, you also need to consider that someone can also do this off the
| site as well. So if they have the ability to link to a site from your
| site they can get people to go to that site and then do the post from that
| site and this defeats this protection. Therefore, although, everyone
disparages
| HTTP_REFERER checking, in this case it will protect the innocent user.
| You also need to filter out javascript if you allow the user to
| craft their own image tags, this is a much worse problem becasue they can
| then claim the users cookie, encryption won't help you here. Of course
| they could also do other bad things with javascript.
