[OWASP-wiki-editors] OWASP Glossary

Jim Manico jim.manico at owasp.org
Mon Feb 23 13:45:22 UTC 2015


On 11/19/14 5:44 PM, Paco Hope wrote:
> > There is no magic you can do on most inputs coming in that will render them suitable in all output contexts.

Amen!
> SQL queries need SQL-specific output encoding. HTML context needs HTML-aware output encoding. These are very different.
Preach it, Paco!
>
> Consider just JavaScript execution contexts. I can name 7 different contexts where the output encoding is slightly different:
>
>    1.  Inside JavaScript: <script> tag (e.g., <script> X </script>)
>    2.  Included 3rd party JavaScript: <script src=“X"/>
>    3.  Event handlers (e.g., onblur=“X”)
>    4.  Cascading Style Sheets (CSS) (e.g., background: “X”)
>    5.  Scalable Vector Graphics (SVG) (SVGs are XML that can execute javascript!)
>    6.  Unique Resource Identifier (URI) handler (e.g., about:X)
>    7.  Dynamic JavaScript execution: eval() function (e.g., eval( X ))

Dang straight. There is actually 20+ encoding contexts when you really 
dig into the problem. 
https://code.google.com/p/owasp-java-encoder/source/browse/trunk/core/src/main/java/org/owasp/encoder/Encode.java 
You do not need to use all 20, but you are right on about the many contexts!
>
> And that’s just if your input data is going to be encoded for one of those JavaScript execution contexts. We haven’t even touched on HTML, CSS generally, SVG generally, or SQL or anything else. There is no “input” validation process that covers all cases of output encoding.

Oh yea!
>
> So once we see input validation as half the solution, not the whole thing, then we’re good.

I stole your dance and consider input validation as "defining program 
semantics and functionality" and encoding as "security". Fair?

Aloha,
Jim


>
> Paco
>
>
> +Paco<https://plus.google.com/+PacoHope/> Hope<https://plus.google.com/+PacoHope/>, CISSP, CSSLP
> Principal Consultant, Cigital<http://www.cigital.com/>
> Build Security In
>
>
> Mobile: +44 7985 419 802
> Follow me: @pacohope<https://www.twitter.com/pacohope>
> LinkedIn: pacohope<http://uk.linkedin.com/in/pacohope/>
>
>
> On 19/11/2014 15:05, "Achim" <achim at owasp.org<mailto:achim at owasp.org>> wrote:
> Sticking on a filter doing proper input validation for both following actions (1.
> and 2.), means that the single quote has to pass. Wait, it must be blocked, no it's
> valid for 2. ...
>
> Can input validation do that? Where stops a syntactical check and begins a semantic
> (logical) check?
>
> _______________________________________________
> OWASP-wiki-editors mailing list
> OWASP-wiki-editors at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-wiki-editors



More information about the OWASP-wiki-editors mailing list