At 09:29 PM 9/8/2002 -0700, you wrote: >If you are not familiar with what I mean by cross site scripting (XSS), here >are two links with information about it: > > http://www.cgisecurity.com/articles/xss-faq.shtml > > http://www.cert.org/advisories/CA-2000-02.html > >According to the first FAQ above, some of the things that should be done to >protect your web application are: > > "Never trust user input and always filter metacharacters. This will >eliminate the majority of XSS attacks. Converting < and > to < and > >is also suggested when it comes to script output. Remember XSS holes can be >damaging and costly to your business if abused. Often attackers will >disclose these holes to the public, which can erode customer and public >confidence in the security and privacy of your organization's site. >Filtering < and > alone will not solve all cross site scripting attacks and >it is suggested you also attempt to filter out ( and ) by translating them >to ( and ), and also # and & by translating them to # (#) and >& (&)."
Mike, I've studied this a bit when I made a XSS filter for Expresso, and came across the following situations. -I could never get browsers to properly render: #, (, ), and ' so I ended up having to bail on having them replaced with the appropriate character entity. If somebody has a way of getting it to work, I'd really appreciate hearing what they said. I DID get double quotes properly filtered. -You don't ALWAYS want to filter the input parameters. If for example, the company name in a registration app was Mike & Ike, Inc. You'd want to write to the underlying database "Mike & Ike, Inc.", NOT "Mike & Ike, Inc." The reason is simple, if you read the database with a non-web browser application, then the data may be messed up. -However You DO want to filter the data you are sending to the browser. In this case, you DO want the company name to be rendered "Mike & Ike, Inc." in most cases. So in this case, Struts does a reasonable job of transforming the output. I made the mistake in my own design of filtering all data read from a data source... which worked nice and transparently to the user, but may cause problems if you want to read and send the data through, for example, a web service instead of a jsp page. Hope this clarifies the issue. Granted there has been very little attention to XSS, which causes many people to write vulnerable applications. I appreciate you piping up asking questions about it. -Mike -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>