You are viewing a plain text version of this content. The canonical link for it is here.

Posted to modperl@perl.apache.org by Stas Bekman <st...@stason.org> on 2003/03/11 05:03:22 UTC

ANNOUNCE: Apache-VMonitor 0.8

Changes since 0.7

* prevent cross-site scripting, now HTML-escaping the request field

* mention in the docs that ExtendedStatus On is not coming for free.

----

The uploaded file

     Apache-VMonitor-0.8.tar.gz

has entered CPAN as

   file: $CPAN/authors/id/S/ST/STAS/Apache-VMonitor-0.8.tar.gz
   size: 18209 bytes
    md5: 88cfba14794b50cb0642931cd19d42da

No action is required on your part
Request entered by: STAS (Stas Bekman)
Request entered on: Tue, 11 Mar 2003 04:01:10 GMT
Request completed:  Tue, 11 Mar 2003 04:01:42 GMT

	Virtually Yours,
paused, v276

-- 


__________________________________________________________________
Stas Bekman            JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/     mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org   http://ticketmaster.com

Re: Cross Site Scripting

Posted by Matt Sergeant <ma...@sergeant.org>.

On Tue, 11 Mar 2003, Clinton Gormley wrote:

> On Tue, 2003-03-11 at 06:03, Stas Bekman wrote:
>
> > Changes since 0.7
> >
> > * prevent cross-site scripting, now HTML-escaping the request field
> >
>
> In Stas' Apache::VMonitor announcement, he mentions changes to prevent
> cross site scripting.
>
> This is a concern for me at the moment, because I'm building a site
> which will allow people to submit copy (to be displayed to other users)
> and I would like them to be able to use HTML and include links to other
> sites (much like slashdot).
>
> Do any of you have any ideas about good techniques to prevent CSS (and I
> don't mean those <div> elements) in this scenario?

I hate to blatantly advertise, but using AxKit mostly mitigates XSS (don't
use the term CSS to mean cross site scripting - its confusing) bugs, with
the exception of javascript in URLs and blank lines inserted into headers
from a user submission. So you vastly limit the things you have to check
for.

-- 
<!-- Matt -->
<:->get a SMart net</:->
Spam trap - do not mail: spam-sig@spamtrap.messagelabs.com

Re: Cross Site Scripting

Posted by Nathan Byrd <na...@byrd.net>.

On Tue, 2003-03-11 at 02:58, Clinton Gormley wrote:
> On Tue, 2003-03-11 at 06:03, Stas Bekman wrote: 
> > Changes since 0.7
> > 
> > * prevent cross-site scripting, now HTML-escaping the request field
> In Stas' Apache::VMonitor announcement, he mentions changes to prevent
> cross site scripting.
> 
> This is a concern for me at the moment, because I'm building a site
> which will allow people to submit copy (to be displayed to other
> users) and I would like them to be able to use HTML and include links
> to other sites (much like slashdot).
> 
> Do any of you have any ideas about good techniques to prevent CSS (and
> I don't mean those <div> elements) in this scenario?
> 
> I've read the articles on cert.org
> (http://www.cert.org/tech_tips/malicious_code_mitigation.html) and
> apache.org
> (http://httpd.apache.org/info/css-security/encoding_examples.html)
> 

There is also a great article by Paul Lindner, titled "Preventing
Cross-site Scripting Attacks" which I found very helpful, available at:
http://www.perl.com/pub/a/2002/02/20/css.html

Thanks,

-- 
Nathan Byrd <na...@byrd.net>

Re: Cross Site Scripting

Posted by Ilya Martynov <il...@martynov.org>.

>>>>> On 11 Mar 2003 10:58:01 +0200, Clinton Gormley <cl...@drtech.co.uk> said:

CG> On Tue, 2003-03-11 at 06:03, Stas Bekman wrote:
CG>           Changes since 0.7

CG> * prevent cross-site scripting, now HTML-escaping the request field

CG> In Stas' Apache::VMonitor announcement, he mentions changes to
CG> prevent cross site scripting.

CG> This is a concern for me at the moment, because I'm building a
CG> site which will allow people to submit copy (to be displayed to
CG> other users) and I would like them to be able to use HTML and
CG> include links to other sites (much like slashdot).

CG> Do any of you have any ideas about good techniques to prevent CSS
CG> (and I don't mean those <div> elements) in this scenario?

Limit HTML to some safe subset and use HTML::TagFilter to enforce it.

Make sure that you don't allow tag attributes which allow running
javascript (like onclick, onchange, etc). The only problem with
HTML::TagFilter I see is that it doesn't support restricting schemas
in URIs. You definetely should not allow links like

<a href="javascript:something">

But maybe it is possible to extend HTML::TagFilter to do this too.

-- 
Ilya Martynov,  ilya@iponweb.net
CTO IPonWEB (UK) Ltd
Quality Perl Programming and Unix Support
UK managed @ offshore prices - http://www.iponweb.net
Personal website - http://martynov.org

Cross Site Scripting

Posted by Clinton Gormley <cl...@drtech.co.uk>.

On Tue, 2003-03-11 at 06:03, Stas Bekman wrote:

> Changes since 0.7
> 
> * prevent cross-site scripting, now HTML-escaping the request field
> 

In Stas' Apache::VMonitor announcement, he mentions changes to prevent
cross site scripting.

This is a concern for me at the moment, because I'm building a site
which will allow people to submit copy (to be displayed to other users)
and I would like them to be able to use HTML and include links to other
sites (much like slashdot).

Do any of you have any ideas about good techniques to prevent CSS (and I
don't mean those <div> elements) in this scenario?

I've read the articles on cert.org
(http://www.cert.org/tech_tips/malicious_code_mitigation.html) and
apache.org
(http://httpd.apache.org/info/css-security/encoding_examples.html)

thanks

Clinton Gormley