Cross Site Scripting

[Shabam]

I have an application that allows users to input certain html tags via a
markup code (like "

"). The
application then translates that into real html for output. I've also had
the application translate "<" to "&lt;" and ">" to "&gt;" to prevent direct
html input by the user.

By doing this I basically allow users to input certain html tags, while not
giving them full permission to mess with the site.

However, I was made aware of cross-site scripting flaws which allow a user
to input something like "javascript:alert(document.cookie)".
This would be translated into "<img
src="javascript:alert(document.cookie)">", which obviously is not good.

My question is, besides this javascript string, what others are there to
filter for, to prevent this type of attack?

 

[Shabam]

Try..

(like "

")

What's this got to do with my question? Mine is one of technical filtering,
not content filtering.

The possiblities for abuse of such a system (from any
number of script or non-script sources) is extraordinary.

Beyond an attentive moderator or pre-screening content, I
can really see no way to 'seal all the security holes',
..beyond removing the site from the internet.

So all of the web forums out there employing vBulletin, UBB, etc. They're
all prone to such attacks right? If that's the case they'd all be out of
business by now.

It would be nice if you could show some code exploits to illustrate your
point.

 

[Jim Ley]

So all of the web forums out there employing vBulletin, UBB, etc. They're
all prone to such attacks right? If that's the case they'd all be out of
business by now.

No they have lots of heuristics - making sure it starts http:// making
sure script isn't allowed, making sure everything's encoded - they're
not perfect, and there's always moderators eventually - people
generally aren't as bad as you think...

Jim.