Links

About

Bio
Resume

Blog Administration

Open login screen

Powered by

Tue, 10. June 2008

Cross Site Scripting

Today I looked into defenses against Cross Site Scripting. I ran into ha.ckers.org which apparently OWASP references. I hear that ha.ckers.org page is quite well known.

Based on that research, I glean several things. Below are the highlights.

  1. Avoid allowing < or > symbols if at all possible.
  2. When you must accept HTML content, scrub input with HTMLPurifier.
  3. Avoid putting user-input content into HTML attributes. All types of attacks are possible using ampersands and such.
  4. Scrub all output and escape HTML entities.
  5. Using a black-list filter is a really bad idea.

I may report more in depth in the future.

in Web Development, XHTML | Comments (0) | Trackbacks (0)
Trackbacks
Trackback specific URI for this entry
No Trackbacks
Comments
Display comments as (Linear | Threaded)
No comments
Add Comment
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

You can use [geshi lang=lang_name [,ln={y|n}]][/lang] tags to embed source code snippets
 
   
 

Quicksearch

Recent Entries

Stars Upon Thars
2008-12-31

HTML Charmap
2008-11-27

Anouncing IGotItWorking.com (BETA)
2008-09-07

Ubuntu on the Desktop, Windows in the Recycle Bin
2008-08-29

HTTP Status Codes: 302, 303, and 307
2008-08-07

Categories


All categories

Syndication

XML RSS 2.0 feed
ATOM/XML ATOM 1.0 feed
XML RSS 2.0 Comments