[OWASP-Bangalore] Help with whitelists for protection against XSS

Prashanth Sivarajan prash.siv at gmail.com
Wed Jun 10 06:52:27 EDT 2009


I saw somewhere that everything that goes out of hte server should be HTML
encoded (no white listing). So the special meaning of all the non alpha
numerics are masked. Any comments on this?

for example...a search string that contains XSS characters '<script' will be
converted to &#60;script.
The browser when reading the encoded chars will not interpret the special
meaning of '<' it will be displayed as '<' ie. there is no double decoding.


any comments on this?

On Wed, Jun 10, 2009 at 3:48 PM, <raxitsheth2000 at gmail.com> wrote:

> you may find many stuff here.
>
> www.xssed.com
>
> Happy (anti-)Hacking :)
>
> -Raxit Sheth
> www.m4mum.com
>
> On Jun 10, 2009 1:15pm, Chaitanya <chaitanya.sharma at gmail.com> wrote:
> > Hi.
> >
> > I'm looking for help (tuts, papers, comments etc) related to using
> whitelists for protection against XSS.  I need to help some UI developers
> implement whitelists in a java (JSP) project.  Any help from the community
> will be appreciated. I'm sure this discussion will also profit others.
> >
> >
> >
> > Regards,
> > Chaitanya
> >
> > http://blog.chaitanyasharma.in
> >
>
> _______________________________________________
> OWASP-Bangalore mailing list
> OWASP-Bangalore at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-bangalore/attachments/20090610/0ccb9a73/attachment.html 


More information about the OWASP-Bangalore mailing list