Matt Fisher mfisher at spidynamics.com
Thu Jun 16 11:22:39 EDT 2005

I've seen some sites that employ alternate character sets as well.  Meta
tag on the client unfortunately, but an interesting technique to
research further although I personally prefer just doing the three
things you mentioned.  


	From: Chris Weber [mailto:chris at lookout.net] 
	Sent: Tuesday, June 14, 2005 7:47 PM
	To: dainw at fsr.com; websecurity at webappsec.org
	Subject: RE: [WEB SECURITY] XSS filters
	Nothing specific, and you sound like you already know what's
going on a bit.  I've never seen a good XSS filter that couldn't be
bypassed in some way.  So my recommendations to you are generic and
simple right now.  Create some centralized, reusable input validation
routines and output sanitization routines.
	- whitelist instead of blacklist all input
	- run all validaiton routines server-side, not client-side
	- sanitize all output as safe URL or HTML encodings


	From: dpw [mailto:dainw at fsr.com] 
	Sent: Tuesday, June 14, 2005 4:35 PM
	To: websecurity at webappsec.org
	Subject: [WEB SECURITY] XSS filters
	Howdy everyone,
	I am attempting to develop some XSS filters and am concerend
that my "homegrown" attempts wouldn't even begin to cover all of the
bases - am justifiably concerned that what I can find on XSS
vulnerabilities on the web is just the tip of the iceberg compared to
what is not on the web... 
	Does anyone have any code / resource that can help to develop a
more comprehensive XSS filter? For what it's worth, I am developing for
the ASP environment...
	Thanks in advance!
	Dain White
	Senior Developer
	First Step Internet, L.L.C.
t/Signatures/www.fsr.com>  | www.fsr.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20050616/d1832757/attachment.html>

More information about the websecurity mailing list