Re: [OT] "Hacker Safe"
This WebDNA talk-list message is from 2007
It keeps the original formatting.
numero = 69486
interpreted = N
texte = Clint Davis wrote:> Donovan,> > We use Scan Alert too, and we've had several XSS vulnerabilities discovered.> Basically, you don't want to blindly display incoming variables on your page> - they need to be cleansed. Here's some code we developed to clean things> up:> > [!]========== CLEANSE THE VARIABLES TO PREVENT XSS ==========[/!]> [formvariables]> [text]clean_[name]=[grep> search=([\'"])&replace=\\1][removehtml][value][/removehtml][/grep][/text]> [/formvariables]> > Then use [clean_variable1], [clean_variable2], etc. to display the> information on the page.> > For more on the dangers of XSS, read the "Exploit Scenarios" section of this> page: http://en.wikipedia.org/wiki/XSS!@#$ script kiddies. How do they have that much time?Thanks for the cleansing ideas... This is not a bankswebsite or anything such as that, so encoding the suspect characterswill be sufficient in this case.I took a bit of time to get my head around the scope of this typeof attack. It seems to me that as long as one uses basic securecoding techniques, ie. no sensitive info in cookies or embededin the code (namely price change password), no re-displayingof credit card info etc., that it would take some really dedicatedand ingenious cracker to glean anything from XSS... however,I guess there are those out there who make it their mission...Donovan-- =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o DONOVAN D. BROOKE EUCA Design Center <- Web Development (specializing in eCommerce),-> <- Desktop Publishing, Print Consulting, Labels -> <- Glass Blowing, and Art Glass -> PH/FAX:> 1 (608) 770-3822 Web:> http://www.egg.bz | http://www.euca.us =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o-------------------------------------------------------------This message is sent to you because you are subscribed to the mailing list
.To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/
Associated Messages, from the most recent to the oldest:
Clint Davis wrote:> Donovan,> > We use Scan Alert too, and we've had several XSS vulnerabilities discovered.> Basically, you don't want to blindly display incoming variables on your page> - they need to be cleansed. Here's some code we developed to clean things> up:> > [!]========== CLEANSE THE VARIABLES TO PREVENT XSS ==========[/!]> [formvariables]> [text]clean_[name]=[grep> search=([\'"])&replace=\\1][removehtml][value][/removehtml][/grep][/text]> [/formvariables]> > Then use [clean_variable1], [clean_variable2], etc. to display the> information on the page.> > For more on the dangers of XSS, read the "Exploit Scenarios" section of this> page: http://en.wikipedia.org/wiki/XSS!@#$ script kiddies. How do they have that much time?Thanks for the cleansing ideas... This is not a bankswebsite or anything such as that, so encoding the suspect characterswill be sufficient in this case.I took a bit of time to get my head around the scope of this typeof attack. It seems to me that as long as one uses basic securecoding techniques, ie. no sensitive info in cookies or embededin the code (namely price change password), no re-displayingof credit card info etc., that it would take some really dedicatedand ingenious cracker to glean anything from XSS... however,I guess there are those out there who make it their mission...Donovan-- =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o DONOVAN D. BROOKE EUCA Design Center <- Web Development (specializing in eCommerce),-> <- Desktop Publishing, Print Consulting, Labels -> <- Glass Blowing, and Art Glass -> PH/FAX:> 1 (608) 770-3822 Web:> http://www.egg.bz | http://www.euca.us =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o-------------------------------------------------------------This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/
Donovan Brooke
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
Need host (1998)
WebCat2 - Getting to the browser's username/password data (1997)
[thisurl] (2004)
Format of Required fields error message (1997)
Date problems (1997)
Writing [raw] to a file (2000)
variables in [addlineitem] (1998)
OT: anyone know how to prevent image hijacking with Apache? (2002)
[WebDNA] [OT] WebDNA Wiki - need grammar check / suggestions (2009)
Why isn't this working (1999)
WebCatalog NT beta 18 problem (1997)
Storebuilder Problems...Looking for last minute heroic effort. (2004)
Spiders (1998)
SSL (1998)
PCS Frames (1997)
Fulfillment emails not emailing after upgrade (2002)
Summing fields (1997)
Re[2]: 2nd WebCatalog2 Feature Request (1996)
Creating folders and deleting files (1997)
Execute Applescript (1997)