Frank Hecker wrote:
First, I won't be allowing HTML tags in submitted comments. My plan was
to simply use the Perl CGI::EscapeHTML function (Blosxom is written in
Perl) to convert '<', '>', double quote, and 0x8b and 0x9b to the
corresponding HTML character entities prior to the submitted comment
being saved and displayed. Is this sufficient, or should I be escaping
other characters as well?
That is sufficient.
Second, and more important (because I'm still unclear on this): I'll be
accepting URLs submitted with comments (as part of a email/URL text
field), and I obviously need to do something with them to avoid XSS
problems. The question is, what? I've gotten the impression that url
encoding characters like '<' that might appear in submitted URLs is not
a total solution, and that retaining characters like '<' in the URL,
even in encoded form, could be a problem.
In encoded form, they should be safe.
In fact, assuming that your HTML delimits the href="" with double
quotes, you can simply escape double quotes to %XX and that _should_ be
sufficient.
Gerv
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
