Re: CERT Advisory on malicious scripts

This WebDNA talk-list message is from

2000

It keeps the original formatting. numero = 27093
interpreted = N
texte = >> > The simplest method to prevent this problem is to strip the < character from>>> your form values using a special db with convertchars to convert it to>>> nothing. This effectively prevents people from creating HTML tags.>>I also found that if you enclose the suspect value in

tags in the displaying page, the HTML tags will just be listed, but not interpreted.This may work for some tags -- on some browsers -- but Netscape definitely interprets font tags instead of displaying them, so it probably interprets other html tags as well. I would not rely on this technique unless you test it first on ALL browsers ...================================Kenneth Grome, WebDNA Consultant808-737-6499, http://webdna.net================================-------------------------------------------------------------Brought to you by CommuniGate Pro - The Buzz Word Compliant Messaging Server.To end your Mail problems go to .This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to  Associated Messages, from the most recent to the oldest:

Re: CERT Advisory on malicious scripts (Kenneth Grome 2000) Re: CERT Advisory on malicious scripts (Miguel Castaneda 2000) Re: CERT Advisory on malicious scripts (Kenneth Grome 2000) Re: CERT Advisory on malicious scripts (John Butler 2000) Re: CERT Advisory on malicious scripts (Joseph D'Andrea 2000) Re: CERT Advisory on malicious scripts (Kenneth Grome 2000) Re: CERT Advisory on malicious scripts (Joseph D'Andrea 2000) Re: CERT Advisory on malicious scripts (The Mooseman 2000) Re: CERT Advisory on malicious scripts (Alex McCombie 2000) Re: CERT Advisory on malicious scripts (Kenneth Grome 2000) CERT Advisory on malicious scripts (Joseph D'Andrea 2000)

>> > The simplest method to prevent this problem is to strip the < character from>>> your form values using a special db with convertchars to convert it to>>> nothing. This effectively prevents people from creating HTML tags.>>I also found that if you enclose the suspect value in

tags in the displaying page, the HTML tags will just be listed, but not interpreted.This may work for some tags -- on some browsers -- but Netscape definitely interprets font tags instead of displaying them, so it probably interprets other html tags as well. I would not rely on this technique unless you test it first on ALL browsers ...================================Kenneth Grome, WebDNA Consultant808-737-6499, http://webdna.net================================-------------------------------------------------------------Brought to you by CommuniGate Pro - The Buzz Word Compliant Messaging Server.To end your Mail problems go to .This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to  Kenneth Grome

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Fwd: 502 Bad Gateway (1998) webcatalog developers in W. Pa. (1998) best way to get 2 unique strings on the same page load? (2000) RE: Adding headers to email (1997) Getting total number of items ordered (1997) [WebDNA] v7 Stress Test and Strange Behaviour (2012) page chokes on hideif when false and ignored (1998) Database access (2003) GuestBook example (1997) unable to launch acgi in WebCat (1997) R.I.P. Netscape (2003) [WebDNA] v7 Stress Test and Strange Behaviour (2012) [WebDNA] WebDNA Hosts (2009) foriegn characters and webcatalog (1997) and more [shipcost].... (2001) Mac OS X Server, Apache etc etc (1999) Too Much Rootbeer Free Offer (1997) Input appreciated (2000) [WebDNA] xmlparse of POST (2014) DON'T use old cart file! (1997)