André Warnier wrote:
antoine wrote:
Hello ,
Consider that i have an html , javascript , php site.
My goal is to somehow modify the html , javascript code before php
module does its stuff.
It is part of a javascript injection defense system. So i want to
mark benign javascript before
php module adds bad javascript code.
I first thought that an output filter is the solution but i suppose
that in the phase of the output filter
the chunks of data will be already produced after php code generation
( is that right ) ??
Yes
So the attack
is done and i will mark as benign that bad javascript injection code.
Is there a way to cope with this by adding a module-filter to apache
and not modify php module code ??
Apart from the yes above, I cannot add much, because it is not very
clear to me what you are trying to achieve, or what you are trying to
protect against. You seem to say that it is the php which inserts the
"bad" javascript code. But the php runs on your server, so that seems
to be the right point to protect, and not later try to undo what it
might have done. Or do you let any user load its own php stuff onto
your server, and then just run it ?
Ok i will explain. Consider that we have an html form and a php script
that handles the posted data.
The scenario is that the bad guy writes in the form for example
"<script> ... bad javascript code </script>" and post this
so when the client get the page we have an attack.
So i want to separate the static javascript code from the dynamic one.
I want a filter to process the page before any dynamic content is
inserted for example by php module.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org