Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Antigen forwarded attachment

Antigen forwarded attachment

From: <Antigen_MISS_at_securityfocus.com>
Date: 20 Jun 2003 10:06:52 +0200

The entire message "RE: Preventing cross site scripting", originally sent to you by Mutallip Ablimit (mutax_at_insi.co.jp), has been forwarded to you from the Antigen Quarantine area.
This message may have been re-scanned by Antigen and handled according to the appropriate scan job's settings.

<<Entire Message.eml>>

attached mail follows:

Yes, replace all of the unacceptable tags with "", it will work fine.
And for a plus,
PHP has a strip_tags() function.
Didn't have tried yet, but I think it could be used to remove all
unacceptable tags.
In this case, may be you have to make a list of all allowed tags.

strip_tags($Text, "<allowed tag>");

This will only allows the "<allowed tag>".

Regards,

-----------
Mutellip Ablimit
INSI
mutax_at_insi.co.jp

-----Original Message-----
From: David Cameron [mailto:dcameron_at_itis-now.com]
Sent: Friday, June 20, 2003 10:51 AM
To: Andrew Beverley; webappsec_at_securityfocus.com
Subject: RE: Preventing cross site scripting

Create a list of unacceptable tags in an array (eg applet, embed), loop
through the array and generate a regexpr based on the array, something of
the form:
<(applet)|(embed).?> and replace all instances with "".

Do the same for any possible closing tags ie:
</(applet)|(embed)> and replace all instances with "".

BTW the RegExpr may be wrong, I'm not all that hot on RegExprs, but you get
the idea.

regards
David Cameron
nOw.b2b
dcameron_at_itis-now.com

> -----Original Message-----
> From: Andrew Beverley [mailto:mail_at_andybev.com]
> Sent: Friday, 20 June 2003 4:28 AM
> To: webappsec_at_securityfocus.com
> Subject: Preventing cross site scripting
>
>
> I am currently writing a web application that, as a small part of it,
> needs to display an email message. Obviously the message is
> potentially
> in html format, which to display could be sent straight to
> the browser.
>
> I would like to know the best way of filtering out undesirable html. I
> understand the best way is to only allow acceptable
> information, in this
> case all the different html formatting tags.
>
> However, there is a lot of tags that are acceptable. Another approach
> would be to strip out all the bad stuff such as <SCRIPT>, <OBJECT>,
> <APPLET>, and <EMBED> but this is far from ideal because of new tags
> becoming available and so on.
>
> Are there any functions available (for php) that will take a html page
> as input and strip out all nasty stuff? Does anyone have
> suggestions as
> to how to do this as easy as possible?
>
> Thanks,
>
> Andrew Beverley
>
>
>
>
>
Received on Jun 20 2003

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos