Solved

Cross-site Scripting at EE

Posted on 2006-06-17
6
242 Views
Last Modified: 2010-08-05
I am writing a web application in JSP that will accept input from users. I am trying to make it as secure as possible. I read this page  
http://support.microsoft.com/default.aspx?scid=kb;en-us;252985       
They recommend filtering or encoding the following special characters  
< > " ' % ; ) ( & + -    
So I thought I would see what EE does here. So, I will look at the source code for this page and record my findings in my next comment.     rrz
!!!!!!!!!!!!< > " ' % ; ) ( & + -!!!!!!!!!!!!
0
Comment
Question by:rrz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 27

Author Comment

by:rrz
ID: 16927040
I looked at the source code for this page and for this line
< > " ' % ; ) ( & + -      
the source code looks like this      
&lt; &gt; &quot; ' % ; ) ( &amp; + -    

If anybody has any comments, then please post them. I presume EE's security is adequate.     rrz
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16930310
EE is XSS save, mainly ;-)
you have to do a proper input data validation and then a proper output data validation where you replace special characters like " < > and ' by their HTML entities. That's it.
0
 
LVL 27

Author Comment

by:rrz
ID: 16930329
ahoffmann, thank you for your time.   So, you recommend to encode  " <> and '    where as  EE  encodes  " <> &    
I wonder why the page I linked to also recommends replacing ; ) ( + -
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 27

Author Comment

by:rrz
ID: 16930338
Oh, I see now you wrote
like " < > and '
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 50 total points
ID: 16930371
encoding & is not that bad, but currently not necessary if you encode the others properly *and* you only use tag attribute enclosed in " or ' (which is the w3c recomendation anyway:)
0
 
LVL 27

Author Comment

by:rrz
ID: 16931449
Thanks for your comments.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
A hard and fast method for reducing Active Directory Administrators members.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question