Cross-site scripting attacks
Posted Apr 13, 2006 20:49 UTC (Thu) by iabervon
In reply to: Cross-site scripting attacks
Parent article: Cross-site scripting attacks
For many applications, it's nicer to just have a print function that quotes everything it gets, and a separate printTag function that can be used to insert non-text. It's an easier conversion than switching to DOM, doesn't inherently require that the whole document be stored at once, and still fails safely (i.e., if you call printTag on a non-tag, it gives you and error; if you call print on a tag, it gives you the escaped version; either way, bugs in the normal case are quick to find and in attacks nothing happens).
The harder thing is actually cases where you want to permit some markup but not scripts, especially if what you're accepting is HTML fragments. (Not that people don't often screw up the easy cases.)
Of course, these problems should really be called HTML injection attacks, since they're essentially the same as SQL injection attacks: some content which is supposed to be a string literal is treated as structure. Of course, trying to do the equivalent of a prepared statement would be a bit less practical (use AJAX to get each variable region as a separate request and insert it as the appropriate type?).
to post comments)