Re: CERT Advisory on malicious scripts
This WebDNA talk-list message is from 2000
It keeps the original formatting.
numero = 27020
interpreted = N
texte = At 3:23 PM 2/3/00, Kenneth Grome wrote:>> >CERT has released an advisory regarding web based systems, such as>> >message boards, and their ability to include malicious scripts. Does>> >anyone have any quick method for recognizing mailcious code from form>> >entries processed by webCat?>>>> The simplest method to prevent this problem is to strip the < character>>from your form values using a special db with convertchars to convert it>>to nothing. This effectively prevents people from creating HTML tags.Would [url] encoding every user entered text field that is to be displayedwork as a quick stop gap? In otherwords, if someone has included any htmlin their entries and that data is now in the database, and we want todisplay it back to some other visitor, encoding it would make it, forexample, <form.... and so it wouldn't be recognized by the receiver'sbrowser as html.???-------------------------------------------------------------Brought to you by CommuniGate Pro - The Buzz Word Compliant Messaging Server.To end your Mail problems go to
.This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to
Associated Messages, from the most recent to the oldest:
At 3:23 PM 2/3/00, Kenneth Grome wrote:>> >CERT has released an advisory regarding web based systems, such as>> >message boards, and their ability to include malicious scripts. Does>> >anyone have any quick method for recognizing mailcious code from form>> >entries processed by webCat?>>>> The simplest method to prevent this problem is to strip the < character>>from your form values using a special db with convertchars to convert it>>to nothing. This effectively prevents people from creating HTML tags.Would [url] encoding every user entered text field that is to be displayedwork as a quick stop gap? In otherwords, if someone has included any htmlin their entries and that data is now in the database, and we want todisplay it back to some other visitor, encoding it would make it, forexample, <form.... and so it wouldn't be recognized by the receiver'sbrowser as html.???-------------------------------------------------------------Brought to you by CommuniGate Pro - The Buzz Word Compliant Messaging Server.To end your Mail problems go to .This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to
Joseph D'Andrea
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
Explorer 3.0/ Access Denied! (1997)
Modifying order output (1997)
Multiple cart additions (1997)
[OT] Weird Characters (2004)
Paranoid about serial numbers...not (1998)
emailer settings and control questions (1997)
Working machines (was alternatives for WebDNA) (2004)
[convertChars] and HTML Tags (1997)
[WebDNA] Format Days_To_Date (2008)
Live server problems (1999)
Enhancement Request for WebCatalog-NT (1996)
[TEXT SECURE=T] (2000)
URL for Discussion Archive (1997)
ReplaceFoundItems Problem (2003)
Prevent Caching js Files (2003)
calculating tax rates, mail order solutions and version 2 (1997)
macosx 1 process, linux N processes, macosx chokes under load (2001)
Encrypting userid for email (2000)
Cookie problems using Mozilla and Camino browsers (2004)
HomePage Caution (1997)