473,385 Members | 1,535 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > javascript > questions > cross site scripting

Join Bytes to post your question to a community of 473,385 software developers and data experts.

Cross Site Scripting

I have an application that allows users to input certain html tags via a
markup code (like "

"). The
application then translates that into real html for output. I've also had
the application translate "<" to "&lt;" and ">" to "&gt;" to prevent direct
html input by the user.

By doing this I basically allow users to input certain html tags, while not
giving them full permission to mess with the site.

However, I was made aware of cross-site scripting flaws which allow a user
to input something like "[img]javascript:alert(document.cookie)[/img]".
This would be translated into "<img
src="javascript:alert(document.cookie)">", which obviously is not good.

My question is, besides this javascript string, what others are there to
filter for, to prevent this type of attack?
Jul 23 '05 #1
3 1258
On Wed, 29 Sep 2004 04:59:52 -0700, Shabam wrote:
I have an application that allows users to input certain html tags via a
markup code (like "

"). ...
Try..
(like "

")
My question is, besides this javascript string, what others are there to
filter for, to prevent this type of attack?


The possiblities for abuse of such a system (from any
number of script or non-script sources) is extraordinary.

Beyond an attentive moderator or pre-screening content, I
can really see no way to 'seal all the security holes',
...beyond removing the site from the internet.

I will be interested to see what other people might suggest though.

--
Andrew Thompson
http://www.PhySci.org/codes/ Web & IT Help
http://www.PhySci.org/ Open-source software suite
http://www.1point1C.org/ Science & Technology
http://www.lensescapes.com/ Images that escape the mundane
Jul 23 '05 #2
> Try..
(like "

")
What's this got to do with my question? Mine is one of technical filtering,
not content filtering.
The possiblities for abuse of such a system (from any
number of script or non-script sources) is extraordinary.

Beyond an attentive moderator or pre-screening content, I
can really see no way to 'seal all the security holes',
..beyond removing the site from the internet.


So all of the web forums out there employing vBulletin, UBB, etc. They're
all prone to such attacks right? If that's the case they'd all be out of
business by now.

It would be nice if you could show some code exploits to illustrate your
point.
Jul 23 '05 #3
On Wed, 29 Sep 2004 06:35:30 -0700, "Shabam" <bl******@hotmail.com>
wrote:
So all of the web forums out there employing vBulletin, UBB, etc. They're
all prone to such attacks right? If that's the case they'd all be out of
business by now.


No they have lots of heuristics - making sure it starts http:// making
sure script isn't allowed, making sure everything's encoded - they're
not perfect, and there's always moderators eventually - people
generally aren't as bad as you think...

Jim.

Jul 23 '05 #4
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

7
Cross Site Scipting
by: Venkat | last post by:
Hi All, I would like to about Cross Site Scripting. I googled XSS and got the point what it is but didn't get how it is achieved. Can someone describe me with an example how an hacker does it....
Javascript
7
Cross-Domain scripting solution
by: CJD | last post by:
Hello, I want to create a server-side object that tracks the clicks of a user while they do a task in a browser. The tasks would take place on external web sites. Since there does not seem to be...
Javascript
7
Cross-Site Scripting...
by: Scott M. | last post by:
How can I disable the cross-site scripting check for one particular page of a site?
ASP.NET
0
Allow HTML input in form field WITH Cross-Site scripting security
by: Earl Teigrob | last post by:
I want to allow users to input html (via a rich text box) or directly, into a form field, save it in a data store and then output that html to the browser, but not allow cross-site scripting. ...
ASP.NET
2
workaround for cross-site scripting in AJAX
by: ra90812 | last post by:
Can someone tell me how to do cross-site scripting in AJAX. any help would be highly appreciated. Thanks, Rajesh
Javascript
11
IE "Mark of the Web" cross-frame scripting?
by: taoberly | last post by:
A few months ago I posted a question about using a file on my hard drive to perform cross-frame scripting and pull data from a server on my company's intranet. I eventually got this working using...
Javascript
4
Cross Domain Scripting with Friendly Domains
by: Jacob JKW | last post by:
Having read the CLJ FAQ and having done extensive Googling, I do understand that in in general cross-domain iframe scripting is not permitted. One issue I have not seen directly addressed, however,...
Javascript
0
circumventing internet explorer's cross-frame scripting
by: KZSteele | last post by:
(repost/edit from html forum) hello - i am using VBA within a microsoft access project to automate internet explorer. what i am doing is reading data from various frames of my company's web...
Visual Basic 4 / 5 / 6
0
circumventing IE's cross-domain scripting security LOCALLY
by: KZSteele | last post by:
(repost/edit from html forum) hello - i am using VBA within a microsoft access project to automate internet explorer. what i am doing is reading data from various frames of my company's web...
Java
1
Cloud Servers without Credit Card and Email Registration: A Simpler Way to Get on the Cloud
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
General
0
Wordpress or something else?
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
Content Management Systems
0
One-click Importing Excel Data into a*Database
by: ryjfgjl | last post by:
In our work, we often need to import Excel data into databases (such as MySQL, SQL Server, Oracle) for data analysis and processing. Usually, we use database tools like Navicat or the Excel import...
Microsoft Excel
0
Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
General
0
Basic Javascript concepts
by: aa123db | last post by:
Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...
Javascript
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!