[thelist] Invite critique of XSS prevention function
Chris at globet.com
Chris at globet.com
Sat Mar 25 02:49:48 CST 2006
John
> Sending some code at you for review, if you are
> interested. This is my latest attempt at a generic and
> elegant function to clean up text with possible simple HTML
> such that XSS is prevented. Criticisms, questions, and
> comments welcome. And if you like it, you are welcome to use
> it. (Although I realize that sounds a little suspicious given
> the context!)
[..]
Two comments:
1. If you find malicious code, it is better practice to reject it rather than to try and clean it. If script tags are not anticipated, then the assumption would be that someone is trying to execute an XSS attack should they be found. Therefore, attempting to cleanse the code has no value in terms of legitimate users.
2. There are different ways for malicious code to be injected into a page. If a querystring is used (which it is often), the characters can be represented in different ways. The following would get past your check, for example:
%3Cscript%3Ealert('hello%20world');%3C/script%3E
HTH
Regards
Chris Marsh
More information about the thelist
mailing list