My use was just on a training app and i just wanted a way to push people away from just dropping things into input fields and have them use the proxy to modify traffic.
Trying to do this properly on client side is a waste of time in reality, do it all server side. Robin On 17 July 2013 08:06, d4x <[email protected]> wrote: > Hi Robin, > Recently I'm trying to secure my websites against XSS with injection of JS > in many ways. Unfortunately these solutions doesn't seem to work properly. > > OSWAP basically say to work on whitelists, and (with Ruby) the Sanitize gem > is helping giving a first level of protection, stripping *all* malicious > tags from params...but it's not enough. > > Some tries ( I.e starting with %22%20onmouseover) are still painful and at > this point I'm writing some code to escape but I am back to blacklisting, > which smell like a neverending run. > > Adding code for stupid params like locale also slow down performance, but is > it a secondary problem. > > d4x > > Sent from my mobile > > On 14/lug/2013, at 09:41, Robin Wood <[email protected]> wrote: > > Thanks for the suggestions, as long as it gives the impression it is > filtering I'm happy so I'll see which of these is the easiest to drop in. > > Robin > > On Jul 14, 2013 3:47 AM, "Ryan Dewhurst" <[email protected]> wrote: >> >> The OWASP DOM XSS Prevention Cheat Sheet (if you haven't come across it >> already) lists these: >> >> " >> 1.ESAPI >> 2.Apache Commons String Utils >> 3.Jtidy >> 4.Your company’s custom implementation. >> >> Some work on a black list while others ignore important characters like >> “<” and “>”. ESAPI is one of the few which works on a whitelist and encodes >> all non-alphanumeric characters. It is important to use an encoding library >> that understands which characters can be used to exploit vulnerabilies in >> their respective contexts. Misconceptions abound related to the proper >> encoding that is required. >> " - https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet >> >> I have no experience with any of them, so can't recommend any. >> >> >> On Sun, Jul 7, 2013 at 8:51 PM, Robin Wood <[email protected]> wrote: >>> >>> Can anyone suggest a JS XSS protection library? >>> >>> Please don't preach they don't work its for a special project so even a >>> bad one will do. >>> >>> Robin >>> >>> >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >> >> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
