Frank Hecker wrote:
First, I won't be allowing HTML tags in submitted comments. My plan was
to simply use the Perl CGI::EscapeHTML function (Blosxom is written in
Perl) to convert '', '', double quote, and 0x8b and 0x9b to the
corresponding HTML character entities prior to the submitted comment
being saved and displayed. Is this sufficient, or should I be escaping
other characters as well?
That is sufficient.
Second, and more important (because I'm still unclear on this): I'll be
accepting URLs submitted with comments (as part of a email/URL text
field), and I obviously need to do something with them to avoid XSS
problems. The question is, what? I've gotten the impression that url
encoding characters like '' that might appear in submitted URLs is not
a total solution, and that retaining characters like '' in the URL,
even in encoded form, could be a problem.
In encoded form, they should be safe.
In fact, assuming that your HTML delimits the href= with double
quotes, you can simply escape double quotes to %XX and that _should_ be
sufficient.
Gerv
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security