Re: CROSS SITE-SCRIPTING Protection with PHP

• Previous message: M. Zeeshan Mustafa: "Re: CROSS SITE-SCRIPTING Protection with PHP"
• In reply to: Valdis.Kletnieksat_private: "Re: CROSS SITE-SCRIPTING Protection with PHP"
• Next in thread: Sverre H. Huseby: "Re: CROSS SITE-SCRIPTING Protection with PHP"
• Next in thread: M. Zeeshan Mustafa: "Re: CROSS SITE-SCRIPTING Protection with PHP"
• Reply: Sverre H. Huseby: "Re: CROSS SITE-SCRIPTING Protection with PHP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Valdis.Kletnieksat_private wrote:
> Remember - don't filter known bad chars.  Filter *everything* *but* known good.

This is a fundamental rule of security... why do thousands of
programmers still not know this... </rant>

Filters can *help*, but there is *no* magic bullet for 100% CSS
protection, because CSS is so generic that it can arise anywhere a web
programmer makes a mistake. Consider this pseudocode:


PasswordSubmitTarget = 
  "https://www." + Server + ".com/login/checkpw.cgi"

Suppose the variable Server comes from an untrusted source somehow. An
attacker might find some way to manipulate the variable so that
passwords get submitted to the attacker's server. Yet the untrusted
variable could contain nothing but [a-z]!

The smartest programmer in the world cannot outsmart the stupidest
mistakes.

• Next message: Sverre H. Huseby: "Re: CROSS SITE-SCRIPTING Protection with PHP"
• Previous message: M. Zeeshan Mustafa: "Re: CROSS SITE-SCRIPTING Protection with PHP"
• In reply to: Valdis.Kletnieksat_private: "Re: CROSS SITE-SCRIPTING Protection with PHP"
• Next in thread: Sverre H. Huseby: "Re: CROSS SITE-SCRIPTING Protection with PHP"
• Next in thread: M. Zeeshan Mustafa: "Re: CROSS SITE-SCRIPTING Protection with PHP"
• Reply: Sverre H. Huseby: "Re: CROSS SITE-SCRIPTING Protection with PHP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Oct 11 2002 - 16:01:26 PDT