By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
459,238 Members | 1,659 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 459,238 IT Pros & Developers. It's quick & easy.

Cross Site Scripting

P: n/a
I have an application that allows users to input certain html tags via a
markup code (like "

"). The
application then translates that into real html for output. I've also had
the application translate "<" to "&lt;" and ">" to "&gt;" to prevent direct
html input by the user.

By doing this I basically allow users to input certain html tags, while not
giving them full permission to mess with the site.

However, I was made aware of cross-site scripting flaws which allow a user
to input something like "[img]javascript:alert(document.cookie)[/img]".
This would be translated into "<img
src="javascript:alert(document.cookie)">", which obviously is not good.

My question is, besides this javascript string, what others are there to
filter for, to prevent this type of attack?
Jul 23 '05 #1
Share this Question
Share on Google+
3 Replies


P: n/a
On Wed, 29 Sep 2004 04:59:52 -0700, Shabam wrote:
I have an application that allows users to input certain html tags via a
markup code (like "

"). ...
Try..
(like "

")
My question is, besides this javascript string, what others are there to
filter for, to prevent this type of attack?


The possiblities for abuse of such a system (from any
number of script or non-script sources) is extraordinary.

Beyond an attentive moderator or pre-screening content, I
can really see no way to 'seal all the security holes',
...beyond removing the site from the internet.

I will be interested to see what other people might suggest though.

--
Andrew Thompson
http://www.PhySci.org/codes/ Web & IT Help
http://www.PhySci.org/ Open-source software suite
http://www.1point1C.org/ Science & Technology
http://www.lensescapes.com/ Images that escape the mundane
Jul 23 '05 #2

P: n/a
> Try..
(like "

")
What's this got to do with my question? Mine is one of technical filtering,
not content filtering.
The possiblities for abuse of such a system (from any
number of script or non-script sources) is extraordinary.

Beyond an attentive moderator or pre-screening content, I
can really see no way to 'seal all the security holes',
..beyond removing the site from the internet.


So all of the web forums out there employing vBulletin, UBB, etc. They're
all prone to such attacks right? If that's the case they'd all be out of
business by now.

It would be nice if you could show some code exploits to illustrate your
point.
Jul 23 '05 #3

P: n/a
On Wed, 29 Sep 2004 06:35:30 -0700, "Shabam" <bl******@hotmail.com>
wrote:
So all of the web forums out there employing vBulletin, UBB, etc. They're
all prone to such attacks right? If that's the case they'd all be out of
business by now.


No they have lots of heuristics - making sure it starts http:// making
sure script isn't allowed, making sure everything's encoded - they're
not perfect, and there's always moderators eventually - people
generally aren't as bad as you think...

Jim.

Jul 23 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.