On Fri, 10 Mar 2006 13:21:36 +0600, Bjoern Hoehrmann <[EMAIL PROTECTED]>
wrote:
This kind of attack is hard to circumvent through use of HTML cleaners
because id="addtomemories" looks like an innocent attribute, like an
anchor for navigation. Preventing such attacks by a HTML cleaner would
require either making a full list of all "forbidden" IDs, class names
etc, or imposing Draconian rules upon user-supplied content, completely
disallowing such useful attributes like id and class.
A full list of all forbidden IDs would be as simple as /^acme-/
Indeed. But adding a prefix to each ID and/or class name is not an option
for many mature CMS and other web applications.
which would already be necessary to ensure conforming content.
Necessary but not sufficient. Duplicate IDs aren't caught by a validating
parser, so custom code is needed to enforce many of the requirements. For
example, if one was trying to ensure that all IDs are unique, then the ID
values within the user-supplied code would have to be checked for
duplicates among them, too.
-- Opera M2 9.0 TP2 on Debian Linux 2.6.12-1-k7
* Origin: X-Man's Station at SW-Soft, Inc. [ICQ: 115226275]
<[EMAIL PROTECTED]>
