On Thu, 27 Apr 2000, Vivek Khera wrote:
> >>>>> "SC" == Steven Champeon <[EMAIL PROTECTED]> writes:
>
> SC> developers and designers) for Webmonkey:
>
> SC> http://hotwired.lycos.com/webmonkey/00/18/index3a.html
>
> SC> If you want to see what sort of stuff the XSS problem opens you up for,
> SC> just try appending ?tw=<script>alert("aha!");</script> to the URL above.
>
> Why on earth would you take user input and output it verbatim to your
> pages? Rule number 1 of developing a web site is to never trust the
> user's input values. *Always* validate it against what you're
> expecting.
Unfortunately there's also a browser bug to contend with. They treat \x8b
(I think that's the right code) as < and there's a similar code for
>. Since most web developers are just doing s/</</g; they are open to
attacks based on character sets like this. Sad, but true. Even our loved
CGI.pm was (is?) open to this bug - I think Lincoln has fixed the
HTMLEncode function now though.
--
<Matt/>
Fastnet Software Ltd. High Performance Web Specialists
Providing mod_perl, XML, Sybase and Oracle solutions
Email for training and consultancy availability.
http://sergeant.org http://xml.sergeant.org
