[17134] in bugtraq
Re: Cross site scripting: a long term fix
daemon@ATHENA.MIT.EDU (Dmitry Yu. Bolkhovityanov)
Tue Oct 10 13:21:43 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7BIT
Message-Id: <3D4FB0268@csd.inp.nsk.su>
Date: Tue, 10 Oct 2000 13:46:11 +0700
Reply-To: "Dmitry Yu. Bolkhovityanov" <D.Yu.Bolkhovityanov@INP.NSK.SU>
From: "Dmitry Yu. Bolkhovityanov" <D.Yu.Bolkhovityanov@INP.NSK.SU>
To: BUGTRAQ@SECURITYFOCUS.COM
On 8 Oct 00 at 17:15, dleblanc@MINDSPRING.COM wrote:
> >2.2. Adding the count of bytes in the text.
>
> ><text bytes='3'>ABC</text bytes='3'>
> ><text bytes='3'>ABC</text>
>
> >This works even better when tags are generated by
> >a program. Counting bytes is a cheap operation.
>
> I like this better. Server gets n bytes from client, escapes out all of
> them. I can't think of a way around this just at the moment.
There is a small problem: if this resulting HTML code gets transcoded
to/from UTF8, the "bytes" value will become wrong. And this conversion can
happen in a proxy (which should *not* interpret each and every tag).
UTF8 is probably not the only "problem-raising" encoding -- various CJK-
related schemes come to mind.
BTW, what the "bytes=" should mean -- bytes or characters?
___________________________________________________________________
Dmitry Yu. Bolkhovityanov | Novosibirsk, RUSSIA
phone (383-2)-39-49-56 | The Budker Institute of Nuclear Physics
| Lab. 5-13
