Valdis.Kletnieksat_private wrote: > Remember - don't filter known bad chars. Filter *everything* *but* known good. This is a fundamental rule of security... why do thousands of programmers still not know this... </rant> Filters can *help*, but there is *no* magic bullet for 100% CSS protection, because CSS is so generic that it can arise anywhere a web programmer makes a mistake. Consider this pseudocode: PasswordSubmitTarget = "https://www." + Server + ".com/login/checkpw.cgi" Suppose the variable Server comes from an untrusted source somehow. An attacker might find some way to manipulate the variable so that passwords get submitted to the attacker's server. Yet the untrusted variable could contain nothing but [a-z]! The smartest programmer in the world cannot outsmart the stupidest mistakes.
This archive was generated by hypermail 2b30 : Fri Oct 11 2002 - 16:01:26 PDT