[17116] in bugtraq
Re: Cross site scripting: a long term fix
daemon@ATHENA.MIT.EDU (Cooper)
Mon Oct 9 15:43:44 2000
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <39E0E7EC.B1FDA922@Linuxfan.com>
Date: Sun, 8 Oct 2000 23:32:28 +0200
Reply-To: Cooper <Cooper@LINUXFAN.COM>
From: Cooper <Cooper@LINUXFAN.COM>
X-To: ZagZig@BIGFOOT.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Zag Zig wrote:
>
> Applications that expect or require HTML input, such as
> web forums, should be aware of HTML security problems.
Exactly.
> Even for them, character filtering is not a good solution.
Oh?
> Most web programmers do not expect to find HTML or a script in
> simple text input fields and they should not be asked to check for it.
Why should they not be expected to check for it?
When you read text it's just that. Text! When the programmer wants to
display that text in an HTML document, he should convert that text to
HTML by replacing the special characters with their HTML counterpart.
There's only a handful of them, so what's the big problem here? Make a
simple text2html procedure and you're home free. *THAT* is what
should've been present in CGI/ASP/JSP/PHP/whatever from day 0 (and I
find it hard to believe it's not there already).
> Trying to solve this problem by filtering of 'special characters'
> on input or output is not the right way to do it.
> I do not see anything special about any of those characters.
> This will make the web more complex, not more reliable.
I don't see this as a solution that makes things simpler.
What's the difference between:
$RANDOM=gen_random();
echo "<TEXT key=$RANDOM>$DB_TEXT_FIELD</TEXT key=$RANDOM>";
and
$HTML_OUT=text2html($DB_TEXT_FIELD);
echo "<P>$HTML_OUT<P>"
Both solutions work just as well, but the impact on current software for
the latter solution is *FAR* less than for the first because it requires
an extension of the HTML standard...
Also note that your solution if implemented today will make your forum
only accessible to those lucky few that are willing to update their
browser so they can browse sites that use that tag. The rest will not
see the posted comments. Is it really worth all that to allow a web
programmer to have to think about one less issue?
Cooper
--
If you can read this you're probably not dead yet.
- Johnny The Homicidal Maniac 7 -
