Re: [tlug] Do you whitelist or blacklist utf-8?

[Edmund Edgar <lists@example.com>]

On 24 February 2011 11:02, Stephen J. Turnbull <stephen@example.com> wrote:

> It's really not clear to me what Dave is worried about.  XSS
> vulnerabilities are 100% about untrusted *ML (mostly HTML, but now
> many browsers can handle SVG and even generic XML).  Filter "<" and
> you're done.  No meta tags, no script tags, no a tags, no img tags, no
> link tags, have I missed any? doesn't matter, there are no tags at all
> here!

Just in case anyone gets the wrong from what Stephen just said, bear
in mind that the issue isn't whether someone manages to  "<" input
through your filter, it's whether they manage to get their HTML in
between one of your "<" and ">"s. (Or even just after a "<", because
some browsers will close your tags for you if they think you
forgot...)

For example, if you're letting people input a URL which you then
display as a link, they can create all kinds of mischief by putting
interesting stuff in the URL, which is going to end up between the
tags in your anchor tag.

See this to get an idea of some of the potential mischief :
http://ha.ckers.org/xss.html

...and this for a good explanation of what you should do about it.
http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

-- 
Edmund Edgar
Founder, KK Social Minds
Educational Technology for the Web and Virtual Worlds

ed@example.com
+81 090 3912 3380
Skype: edmundedgar
Second Life: Edmund Earp
Linked In: edmundedgar
Twitter: @edmundedgar
http://www.socialminds.jp