Re: [OT] "Hacker Safe"
This WebDNA talk-list message is from 2007
It keeps the original formatting.
numero = 69486
interpreted = N
texte = Clint Davis wrote:> Donovan,> > We use Scan Alert too, and we've had several XSS vulnerabilities discovered.> Basically, you don't want to blindly display incoming variables on your page> - they need to be cleansed. Here's some code we developed to clean things> up:> > [!]========== CLEANSE THE VARIABLES TO PREVENT XSS ==========[/!]> [formvariables]> [text]clean_[name]=[grep> search=([\'"])&replace=\\1][removehtml][value][/removehtml][/grep][/text]> [/formvariables]> > Then use [clean_variable1], [clean_variable2], etc. to display the> information on the page.> > For more on the dangers of XSS, read the "Exploit Scenarios" section of this> page: http://en.wikipedia.org/wiki/XSS!@#$ script kiddies. How do they have that much time?Thanks for the cleansing ideas... This is not a bankswebsite or anything such as that, so encoding the suspect characterswill be sufficient in this case.I took a bit of time to get my head around the scope of this typeof attack. It seems to me that as long as one uses basic securecoding techniques, ie. no sensitive info in cookies or embededin the code (namely price change password), no re-displayingof credit card info etc., that it would take some really dedicatedand ingenious cracker to glean anything from XSS... however,I guess there are those out there who make it their mission...Donovan-- =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o DONOVAN D. BROOKE EUCA Design Center <- Web Development (specializing in eCommerce),-> <- Desktop Publishing, Print Consulting, Labels -> <- Glass Blowing, and Art Glass -> PH/FAX:> 1 (608) 770-3822 Web:> http://www.egg.bz | http://www.euca.us =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o-------------------------------------------------------------This message is sent to you because you are subscribed to the mailing list
.To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/
Associated Messages, from the most recent to the oldest:
Clint Davis wrote:> Donovan,> > We use Scan Alert too, and we've had several XSS vulnerabilities discovered.> Basically, you don't want to blindly display incoming variables on your page> - they need to be cleansed. Here's some code we developed to clean things> up:> > [!]========== CLEANSE THE VARIABLES TO PREVENT XSS ==========[/!]> [formvariables]> [text]clean_[name]=[grep> search=([\'"])&replace=\\1][removehtml][value][/removehtml][/grep][/text]> [/formvariables]> > Then use [clean_variable1], [clean_variable2], etc. to display the> information on the page.> > For more on the dangers of XSS, read the "Exploit Scenarios" section of this> page: http://en.wikipedia.org/wiki/XSS!@#$ script kiddies. How do they have that much time?Thanks for the cleansing ideas... This is not a bankswebsite or anything such as that, so encoding the suspect characterswill be sufficient in this case.I took a bit of time to get my head around the scope of this typeof attack. It seems to me that as long as one uses basic securecoding techniques, ie. no sensitive info in cookies or embededin the code (namely price change password), no re-displayingof credit card info etc., that it would take some really dedicatedand ingenious cracker to glean anything from XSS... however,I guess there are those out there who make it their mission...Donovan-- =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o DONOVAN D. BROOKE EUCA Design Center <- Web Development (specializing in eCommerce),-> <- Desktop Publishing, Print Consulting, Labels -> <- Glass Blowing, and Art Glass -> PH/FAX:> 1 (608) 770-3822 Web:> http://www.egg.bz | http://www.euca.us =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o-------------------------------------------------------------This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/
Donovan Brooke
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
New NT beta available (1997)
Running _every_ page through WebCat ? (1997)
Before I Can Begin . . . (1998)
Proposed FormVariables hierarchy (2000)
X etc.... (1999)
[ModDate] & [ModTime] ? (1997)
WC2b15 - [HTMLx]...[/HTMLx] problems (1997)
Re1000001: Setting up shop (1997)
vs (1997)
looping through the headers of an orderfile (2000)
OT: JavaScript question (2001)
Using Applescript to process WebCatalog functions (1998)
Document Contains No Data! (1997)
Lookup within a Search (2005)
Execute Applescript (1997)
WebDNA v6 & MySQL (2008)
carriage returns in data (1997)
WebCommerce: Folder organization ? (1997)
Max Record length restated as maybe bug (1997)
can WC render sites out? (1997)