Solved

Cross-site Scripting at EE

Posted on 2006-06-17
6
236 Views
Last Modified: 2010-08-05
I am writing a web application in JSP that will accept input from users. I am trying to make it as secure as possible. I read this page  
http://support.microsoft.com/default.aspx?scid=kb;en-us;252985       
They recommend filtering or encoding the following special characters  
< > " ' % ; ) ( & + -    
So I thought I would see what EE does here. So, I will look at the source code for this page and record my findings in my next comment.     rrz
!!!!!!!!!!!!< > " ' % ; ) ( & + -!!!!!!!!!!!!
0
Comment
Question by:rrz
  • 4
  • 2
6 Comments
 
LVL 27

Author Comment

by:rrz
ID: 16927040
I looked at the source code for this page and for this line
< > " ' % ; ) ( & + -      
the source code looks like this      
&lt; &gt; &quot; ' % ; ) ( &amp; + -    

If anybody has any comments, then please post them. I presume EE's security is adequate.     rrz
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16930310
EE is XSS save, mainly ;-)
you have to do a proper input data validation and then a proper output data validation where you replace special characters like " < > and ' by their HTML entities. That's it.
0
 
LVL 27

Author Comment

by:rrz
ID: 16930329
ahoffmann, thank you for your time.   So, you recommend to encode  " <> and '    where as  EE  encodes  " <> &    
I wonder why the page I linked to also recommends replacing ; ) ( + -
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 27

Author Comment

by:rrz
ID: 16930338
Oh, I see now you wrote
like " < > and '
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 50 total points
ID: 16930371
encoding & is not that bad, but currently not necessary if you encode the others properly *and* you only use tag attribute enclosed in " or ' (which is the w3c recomendation anyway:)
0
 
LVL 27

Author Comment

by:rrz
ID: 16931449
Thanks for your comments.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

You may have a outside contractor who comes in once a week or seasonal to do some work in your office but you only want to give him access to the programs and files he needs and keep privet all other documents and programs, can you do this on a loca…
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now