On Wed, 21 Nov 2001, Danny Angus wrote:
> Date: Wed, 21 Nov 2001 07:51:55 -0000
> From: Danny Angus <[EMAIL PROTECTED]>
> Reply-To: Jakarta General List <[EMAIL PROTECTED]>
> To: Jakarta General List <[EMAIL PROTECTED]>
> Subject: RE: Cross site scripting
>
> Craig wrote:
> > That seems like a lot of extra work, and is unnecessary if all the dynamic
> > output is processed appropriately.
> >
>
> out of curiosity why do you say that, the unnecessary part?
>
IF 100% of the dynamic output (i.e. the part that an attacker might be
able to exploit) is generated by JSP custom tags (or equivalent, for other
technologies) that properly filter for dangerous characters, AND if your
static output is already immune to exploit (because the app developer
already checked it for vulnerabilities), THEN any effort exerted by the
container to filter *all* occurrences of "<" et. al., followed by
reconverting the "safe" occurrences, is wasted.
IMHO, this is much more an application issue than a container issue.
However, Jon is asking for container-based solutions -- I guess that
requiring the use of Strut tags for all your output qualifies. :-)
Craig
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
