You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Stas Bekman <st...@stason.org> on 2003/03/11 05:03:22 UTC
ANNOUNCE: Apache-VMonitor 0.8
Changes since 0.7
* prevent cross-site scripting, now HTML-escaping the request field
* mention in the docs that ExtendedStatus On is not coming for free.
----
The uploaded file
Apache-VMonitor-0.8.tar.gz
has entered CPAN as
file: $CPAN/authors/id/S/ST/STAS/Apache-VMonitor-0.8.tar.gz
size: 18209 bytes
md5: 88cfba14794b50cb0642931cd19d42da
No action is required on your part
Request entered by: STAS (Stas Bekman)
Request entered on: Tue, 11 Mar 2003 04:01:10 GMT
Request completed: Tue, 11 Mar 2003 04:01:42 GMT
Virtually Yours,
paused, v276
--
__________________________________________________________________
Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org http://ticketmaster.com
Re: Cross Site Scripting
Posted by Matt Sergeant <ma...@sergeant.org>.
On Tue, 11 Mar 2003, Clinton Gormley wrote:
> On Tue, 2003-03-11 at 06:03, Stas Bekman wrote:
>
> > Changes since 0.7
> >
> > * prevent cross-site scripting, now HTML-escaping the request field
> >
>
> In Stas' Apache::VMonitor announcement, he mentions changes to prevent
> cross site scripting.
>
> This is a concern for me at the moment, because I'm building a site
> which will allow people to submit copy (to be displayed to other users)
> and I would like them to be able to use HTML and include links to other
> sites (much like slashdot).
>
> Do any of you have any ideas about good techniques to prevent CSS (and I
> don't mean those <div> elements) in this scenario?
I hate to blatantly advertise, but using AxKit mostly mitigates XSS (don't
use the term CSS to mean cross site scripting - its confusing) bugs, with
the exception of javascript in URLs and blank lines inserted into headers
from a user submission. So you vastly limit the things you have to check
for.
--
<!-- Matt -->
<:->get a SMart net</:->
Spam trap - do not mail: spam-sig@spamtrap.messagelabs.com
Re: Cross Site Scripting
Posted by Nathan Byrd <na...@byrd.net>.
On Tue, 2003-03-11 at 02:58, Clinton Gormley wrote:
> On Tue, 2003-03-11 at 06:03, Stas Bekman wrote:
> > Changes since 0.7
> >
> > * prevent cross-site scripting, now HTML-escaping the request field
> In Stas' Apache::VMonitor announcement, he mentions changes to prevent
> cross site scripting.
>
> This is a concern for me at the moment, because I'm building a site
> which will allow people to submit copy (to be displayed to other
> users) and I would like them to be able to use HTML and include links
> to other sites (much like slashdot).
>
> Do any of you have any ideas about good techniques to prevent CSS (and
> I don't mean those <div> elements) in this scenario?
>
> I've read the articles on cert.org
> (http://www.cert.org/tech_tips/malicious_code_mitigation.html) and
> apache.org
> (http://httpd.apache.org/info/css-security/encoding_examples.html)
>
There is also a great article by Paul Lindner, titled "Preventing
Cross-site Scripting Attacks" which I found very helpful, available at:
http://www.perl.com/pub/a/2002/02/20/css.html
Thanks,
--
Nathan Byrd <na...@byrd.net>
Re: Cross Site Scripting
Posted by Ilya Martynov <il...@martynov.org>.
>>>>> On 11 Mar 2003 10:58:01 +0200, Clinton Gormley <cl...@drtech.co.uk> said:
CG> On Tue, 2003-03-11 at 06:03, Stas Bekman wrote:
CG> Changes since 0.7
CG> * prevent cross-site scripting, now HTML-escaping the request field
CG> In Stas' Apache::VMonitor announcement, he mentions changes to
CG> prevent cross site scripting.
CG> This is a concern for me at the moment, because I'm building a
CG> site which will allow people to submit copy (to be displayed to
CG> other users) and I would like them to be able to use HTML and
CG> include links to other sites (much like slashdot).
CG> Do any of you have any ideas about good techniques to prevent CSS
CG> (and I don't mean those <div> elements) in this scenario?
Limit HTML to some safe subset and use HTML::TagFilter to enforce it.
Make sure that you don't allow tag attributes which allow running
javascript (like onclick, onchange, etc). The only problem with
HTML::TagFilter I see is that it doesn't support restricting schemas
in URIs. You definetely should not allow links like
<a href="javascript:something">
But maybe it is possible to extend HTML::TagFilter to do this too.
--
Ilya Martynov, ilya@iponweb.net
CTO IPonWEB (UK) Ltd
Quality Perl Programming and Unix Support
UK managed @ offshore prices - http://www.iponweb.net
Personal website - http://martynov.org
Cross Site Scripting
Posted by Clinton Gormley <cl...@drtech.co.uk>.
On Tue, 2003-03-11 at 06:03, Stas Bekman wrote:
> Changes since 0.7
>
> * prevent cross-site scripting, now HTML-escaping the request field
>
In Stas' Apache::VMonitor announcement, he mentions changes to prevent
cross site scripting.
This is a concern for me at the moment, because I'm building a site
which will allow people to submit copy (to be displayed to other users)
and I would like them to be able to use HTML and include links to other
sites (much like slashdot).
Do any of you have any ideas about good techniques to prevent CSS (and I
don't mean those <div> elements) in this scenario?
I've read the articles on cert.org
(http://www.cert.org/tech_tips/malicious_code_mitigation.html) and
apache.org
(http://httpd.apache.org/info/css-security/encoding_examples.html)
thanks
Clinton Gormley