http://kendsnyder.com/ PHP, JavaScript, CSS en Serendipity 1.3.1 - http://www.s9y.org/ Wed, 11 Jun 2008 04:24:42 GMT http://kendsnyder.com/templates/bulletproof/img/s9y_banner_small.png http://kendsnyder.com/ 100 21 http://kendsnyder.com/archives/10-Cross-Site-Scripting.html Web Development XHTML http://kendsnyder.com/archives/10-Cross-Site-Scripting.html#comments http://kendsnyder.com/wfwcomment.php?cid=10 0 http://kendsnyder.com/rss.php?version=2.0&type=comments&cid=10 nospam@example.com (Ken Snyder) <p>Today I looked into defenses against Cross Site Scripting. I ran into <a onclick="javascript: pageTracker._trackPageview('/extlink/ha.ckers.org/xss.html');" target="_blank" href="http://ha.ckers.org/xss.html">ha.ckers.org</a> which apparently <a onclick="javascript: pageTracker._trackPageview('/extlink/owasp.org');" target="_blank" href="http://owasp.org">OWASP</a> references. I hear that ha.ckers.org page is quite well known.</p> <p>Based on that research, I glean several things. Below are the highlights.</p> <ol> <li>Avoid allowing &lt; or &gt; symbols if at all possible.</li> <li>When you must accept HTML content, scrub input with <a onclick="javascript: pageTracker._trackPageview('/extlink/htmlpurifier.org');" target="_blank" href="http://htmlpurifier.org">HTMLPurifier</a>.</li> <li>Avoid putting user-input content into HTML attributes. All types of attacks are possible using ampersands and such.</li> <li>Scrub all output and escape HTML entities.</li> <li>Using a black-list filter is a really bad idea.</li> </ol> <p>I may report more in depth in the future.</p> Tue, 10 Jun 2008 22:13:42 -0600 http://kendsnyder.com/archives/10-guid.html