[Esapi-dev] XSS: Filter vs Encode?
Jeffrey Walton
noloader at gmail.com
Sun Dec 11 00:26:49 EST 2011
On Sun, Dec 11, 2011 at 12:20 AM, Kevin W. Wall <kevin.w.wall at gmail.com> wrote:
> On Dec 10, 2011 11:56 PM, "Jeffrey Walton" <noloader at gmail.com> wrote:
>>
>> According to ASP.net and their tutorials (and at least one book I've
>> looked at), data is inserted into the database unfiltered but later
>> encoded to counter XSS.
>>
>> I'm not sure I agree with inserting contaminated data into the
>> database. I think there's a potential for abuse: for example, suppose
>> a page is later added which omits encoding.
>>
>> What is the preferred method of sanitizing input?
> This is the so-called persistant XSS case.
Right. That's why I don't understand why one would stuff it in the
database and hope to fix it via an encoder. But I'm not a clever web
programmer.
> When possible, you should always validate input. But that
> is not always possible. Sometimes a 3rd party app may
> be collecting input into the DB. Sometimes you need to
> collect general input for comments or whatever & are
> required to accept ALL input characters. Whatever the
> reason, that's why you filter the output by properly
> encoding it.
OK. The argument that was made in the book stated the author preferred
to 'search un-escaped text' (or something to that effect).
> So, in a nutshell, do BOTH when possible. When not, at
> least escape the output for the appropriate context.
Gotcha. Thanks Kevin and Jerry.
Jeff
More information about the Esapi-dev
mailing list