How to prevent cross-site scripting?

I've been informed of a cross-site scripting vulnerability.
Given the example of this exploit below, how to you prevent
this from being passed to the perl cgi script myscript.cgi?
Normally the script would be called with only:

http://www.somedomain.com:/cgi-bin/myscript.cgi


This is how myscript.cgi is exploited:

http://www.somedomain.com:/cgi-bin/myscript.cgi/(PostData)submit=Submit&type=1.7&solve_for=%22%3e% 3cscript%3ealert('spid')%3c%2fscript%3e


Or an exploit using javascript:

http://b0iler.com/script.cgi?display=<script
type=text/javascript>alert('hello');</script>


-Thanks

re: How to prevent cross-site scripting?

somebody said the following on 8/16/2006 6:54 PM:Then have myscript.cgi check for that scenario and reject it. The answer
doesn't lie with JS, it lies with securing your server side code against
that attack. And, it doesn't take JS to exploit that, it only takes the
knowledge of the vulnerability to exploit it.

--
Randy
comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/

re: How to prevent cross-site scripting?

somebody wrote:You can't keep it from passed to your server; someone could simply
type the attack into the browser address bar, for example. This is not
a Javascript issue, it's a server issue...

What you have to do is filter / verify any input that you will echo
back. Generally, filtering out <>#() and quotes will stop most
attacks. However, see the following url for a hacker's view of ways
around many filter traps: http://ha.ckers.org/xss.html

Note that an XSS attack won't work if you don't blindly echo back an
input !! In other words, if your URL looks like, say:

http://math.com/add_two_numbers.asp?x=1&y=2

and adds x + y together and returns just the result without echoing x
or y, then no attack is possible.

Kev

re: How to prevent cross-site scripting?

Kevin Darling wrote:
Woof. Never write with a four-year-old on your lap. Makes you rush
too much :-)

You should at least also filter out characters like &[ ] / \ ;
because these can, in addition to the < () " ' mentioned already, be
used to create XSS attack scripts.

Kev