[Esapi-dev] CSS encoding
jim.manico at owasp.org
Fri Aug 12 14:58:44 EDT 2011
On 8/8/11 5:16 PM, Chris Schmidt wrote:
> FWIW -- the CSS Contextual Encoder that I did for Jquery-Encoder has
> proven out to be pretty reliable, perhaps modifying the Codec to take
> context (the css property in question) into consideration with a
> whitelist approach is the correct answer.
I agree with this approach 100%.
And please keep in mind, simple whitelist character validation is not
the strongest technique. You need straight up structural validation of
specific CSS values that are user-driven.
And I agree with Jeff that we should NOT take out the CSS encoder and
that we do need to add a blacklist to stop expression attacks. I'm not
fan of this long-term, but it's already in use, it's an important and
easy technique that can be used in an outbound way, and so long as we
warn about the limits and provide ample unit est coverage to provide
assurance, I say keep it in there.
 But please note if you are depending on the ESAPI-Java CSS encoder
as it stands today, you are completely vulnerable to XSS via express on
based attacks on IE.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Esapi-dev