[WEB SECURITY] XSS filters

Chris Weber chris at lookout.net
Tue Jun 14 19:46:35 EDT 2005


Nothing specific, and you sound like you already know what's going on a bit.
I've never seen a good XSS filter that couldn't be bypassed in some way.  So
my recommendations to you are generic and simple right now.  Create some
centralized, reusable input validation routines and output sanitization
routines.
 
- whitelist instead of blacklist all input
- run all validaiton routines server-side, not client-side
- sanitize all output as safe URL or HTML encodings

  _____  

From: dpw [mailto:dainw at fsr.com] 
Sent: Tuesday, June 14, 2005 4:35 PM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] XSS filters


Howdy everyone,
 
I am attempting to develop some XSS filters and am concerend that my
"homegrown" attempts wouldn't even begin to cover all of the bases - am
justifiably concerned that what I can find on XSS vulnerabilities on the web
is just the tip of the iceberg compared to what is not on the web... 
 
Does anyone have any code / resource that can help to develop a more
comprehensive XSS filter? For what it's worth, I am developing for the ASP
environment...
 
Thanks in advance!
Dain White
 
Senior Developer
First Step Internet, L.L.C.
 
<file:///C:/Documents%20and%20Settings/dainw/Application%20Data/Microsoft/Si
gnatures/www.fsr.com> www.fsr.com |
<file:///C:/Documents%20and%20Settings/dainw/Application%20Data/Microsoft/Si
gnatures/www.fsr.net> www.fsr.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20050614/559dec13/attachment.html>


More information about the websecurity mailing list