?
Solved

Cross-site Scripting at EE

Posted on 2006-06-17
6
Medium Priority
?
244 Views
Last Modified: 2010-08-05
I am writing a web application in JSP that will accept input from users. I am trying to make it as secure as possible. I read this page  
http://support.microsoft.com/default.aspx?scid=kb;en-us;252985       
They recommend filtering or encoding the following special characters  
< > " ' % ; ) ( & + -    
So I thought I would see what EE does here. So, I will look at the source code for this page and record my findings in my next comment.     rrz
!!!!!!!!!!!!< > " ' % ; ) ( & + -!!!!!!!!!!!!
0
Comment
Question by:rrz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 28

Author Comment

by:rrz
ID: 16927040
I looked at the source code for this page and for this line
< > " ' % ; ) ( & + -      
the source code looks like this      
&lt; &gt; &quot; ' % ; ) ( &amp; + -    

If anybody has any comments, then please post them. I presume EE's security is adequate.     rrz
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16930310
EE is XSS save, mainly ;-)
you have to do a proper input data validation and then a proper output data validation where you replace special characters like " < > and ' by their HTML entities. That's it.
0
 
LVL 28

Author Comment

by:rrz
ID: 16930329
ahoffmann, thank you for your time.   So, you recommend to encode  " <> and '    where as  EE  encodes  " <> &    
I wonder why the page I linked to also recommends replacing ; ) ( + -
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 
LVL 28

Author Comment

by:rrz
ID: 16930338
Oh, I see now you wrote
like " < > and '
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 200 total points
ID: 16930371
encoding & is not that bad, but currently not necessary if you encode the others properly *and* you only use tag attribute enclosed in " or ' (which is the w3c recomendation anyway:)
0
 
LVL 28

Author Comment

by:rrz
ID: 16931449
Thanks for your comments.
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Check out the latest tech news, community articles, and expert highlights in August's newsletter.
If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question