Cross Site Scripting

Discussion in 'Javascript' started by Shabam, Sep 29, 2004.

  1. Shabam

    Shabam Guest

    I have an application that allows users to input certain html tags via a
    markup code (like "[​IMG]"). The
    application then translates that into real html for output. I've also had
    the application translate "<" to "&lt;" and ">" to "&gt;" to prevent direct
    html input by the user.

    By doing this I basically allow users to input certain html tags, while not
    giving them full permission to mess with the site.

    However, I was made aware of cross-site scripting flaws which allow a user
    to input something like "[​IMG]".
    This would be translated into "<img
    src="javascript:alert(document.cookie)">", which obviously is not good.

    My question is, besides this javascript string, what others are there to
    filter for, to prevent this type of attack?
     
    Shabam, Sep 29, 2004
    #1
    1. Advertising

  2. Shabam

    Shabam Guest

    > Try..
    > (like "[​IMG]")


    What's this got to do with my question? Mine is one of technical filtering,
    not content filtering.

    > The possiblities for abuse of such a system (from any
    > number of script or non-script sources) is extraordinary.
    >
    > Beyond an attentive moderator or pre-screening content, I
    > can really see no way to 'seal all the security holes',
    > ..beyond removing the site from the internet.


    So all of the web forums out there employing vBulletin, UBB, etc. They're
    all prone to such attacks right? If that's the case they'd all be out of
    business by now.

    It would be nice if you could show some code exploits to illustrate your
    point.
     
    Shabam, Sep 29, 2004
    #2
    1. Advertising

  3. Shabam

    Jim Ley Guest

    On Wed, 29 Sep 2004 06:35:30 -0700, "Shabam" <>
    wrote:
    >So all of the web forums out there employing vBulletin, UBB, etc. They're
    >all prone to such attacks right? If that's the case they'd all be out of
    >business by now.


    No they have lots of heuristics - making sure it starts http:// making
    sure script isn't allowed, making sure everything's encoded - they're
    not perfect, and there's always moderators eventually - people
    generally aren't as bad as you think...

    Jim.
     
    Jim Ley, Sep 29, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Scott M.

    Cross-Site Scripting...

    Scott M., Dec 22, 2003, in forum: ASP .Net
    Replies:
    7
    Views:
    3,401
    Steven Cheng[MSFT]
    Dec 24, 2003
  2. Earl Teigrob
    Replies:
    0
    Views:
    551
    Earl Teigrob
    Feb 18, 2004
  3. =?Utf-8?B?QnJhZCBRdWlubg==?=

    Cross site scripting

    =?Utf-8?B?QnJhZCBRdWlubg==?=, Apr 27, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    437
    Brock Allen
    Apr 28, 2005
  4. Replies:
    3
    Views:
    810
  5. Qaurk Noble

    Preventing Cross Site Scripting

    Qaurk Noble, Dec 11, 2003, in forum: Java
    Replies:
    0
    Views:
    413
    Qaurk Noble
    Dec 11, 2003
Loading...

Share This Page