Solved

Cross-site Scripting at EE

Posted on 2006-06-17
6
238 Views
Last Modified: 2010-08-05
I am writing a web application in JSP that will accept input from users. I am trying to make it as secure as possible. I read this page  
http://support.microsoft.com/default.aspx?scid=kb;en-us;252985       
They recommend filtering or encoding the following special characters  
< > " ' % ; ) ( & + -    
So I thought I would see what EE does here. So, I will look at the source code for this page and record my findings in my next comment.     rrz
!!!!!!!!!!!!< > " ' % ; ) ( & + -!!!!!!!!!!!!
0
Comment
Question by:rrz
  • 4
  • 2
6 Comments
 
LVL 27

Author Comment

by:rrz
ID: 16927040
I looked at the source code for this page and for this line
< > " ' % ; ) ( & + -      
the source code looks like this      
&lt; &gt; &quot; ' % ; ) ( &amp; + -    

If anybody has any comments, then please post them. I presume EE's security is adequate.     rrz
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16930310
EE is XSS save, mainly ;-)
you have to do a proper input data validation and then a proper output data validation where you replace special characters like " < > and ' by their HTML entities. That's it.
0
 
LVL 27

Author Comment

by:rrz
ID: 16930329
ahoffmann, thank you for your time.   So, you recommend to encode  " <> and '    where as  EE  encodes  " <> &    
I wonder why the page I linked to also recommends replacing ; ) ( + -
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 27

Author Comment

by:rrz
ID: 16930338
Oh, I see now you wrote
like " < > and '
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 50 total points
ID: 16930371
encoding & is not that bad, but currently not necessary if you encode the others properly *and* you only use tag attribute enclosed in " or ' (which is the w3c recomendation anyway:)
0
 
LVL 27

Author Comment

by:rrz
ID: 16931449
Thanks for your comments.
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Pop culture is prime bait for hackers seeking to infect user’s computers and mobile devices with malicious malware. Hackers know exactly what the latest trends are online and know how to use them to their advantage.
As technology users and professionals, we’re always learning. Our universal interest in advancing our knowledge of the trade is unmatched by most industries. It’s a curiosity that makes sense, given the climate of change. Within that, there lies a…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question