Comments on: The usual suspects and what to do about them http://www.greebo.net/2007/01/28/the-usual-suspects-and-what-to-do-about-them/ mostly useless crap from me Thu, 04 Dec 2008 20:04:33 +0000 http://wordpress.org/?v=2.6.5 By: dre http://www.greebo.net/2007/01/28/the-usual-suspects-and-what-to-do-about-them/#comment-6208 dre Tue, 20 Feb 2007 05:16:55 +0000 http://www.greebo.net/?p=395#comment-6208 For Java, consider this for strong input validation: http://jakarta.apache.org/commons/validator/ Also - I assess J2EE environments a lot and usually have more (specifically XSS) findings than what you give credit for. And add that other guy's HTML Purifier to your PHP strong functions http://www.greebo.net/?p=399 Maybe add some other languages... but I really like your basic representation of the data. Put this up on OWASP! For Java, consider this for strong input validation:
http://jakarta.apache.org/commons/validator/

Also - I assess J2EE environments a lot and usually have more (specifically XSS) findings than what you give credit for.

And add that other guy’s HTML Purifier to your PHP strong functions http://www.greebo.net/?p=399

Maybe add some other languages… but I really like your basic representation of the data. Put this up on OWASP!

]]> By: vanderaj http://www.greebo.net/2007/01/28/the-usual-suspects-and-what-to-do-about-them/#comment-6047 vanderaj Mon, 05 Feb 2007 13:04:00 +0000 http://www.greebo.net/?p=395#comment-6047 Stephen, The Microsoft AntiXSS libraries encode pretty much everything BUT approximately A-Z, a-z, 0-9 and space. I consider this strong encoding. I must admit not having much experience with RoR, and thus I didn't consider it when writing this entry. Andrew Stephen,

The Microsoft AntiXSS libraries encode pretty much everything BUT approximately A-Z, a-z, 0-9 and space. I consider this strong encoding.

I must admit not having much experience with RoR, and thus I didn’t consider it when writing this entry.

Andrew

]]> By: Stephen dv http://www.greebo.net/2007/01/28/the-usual-suspects-and-what-to-do-about-them/#comment-6045 Stephen dv Mon, 05 Feb 2007 08:52:26 +0000 http://www.greebo.net/?p=395#comment-6045 Hi Andrew, The <%= order.comment %> format used by default in Ruby on Rails is also vulnerable to XSS attack. To encode it, there is a convenience form: <%= h(order.comment) %>. Could you explain a bit more about what you mean by "strong functions"? Stephen Hi Andrew,

The <%= order.comment %> format used by default in Ruby on Rails is also vulnerable to XSS attack. To encode it, there is a convenience form:
<%= h(order.comment) %>.

Could you explain a bit more about what you mean by “strong functions”?

Stephen

]]> By: Dagfinn Reiersøl http://www.greebo.net/2007/01/28/the-usual-suspects-and-what-to-do-about-them/#comment-5949 Dagfinn Reiersøl Wed, 31 Jan 2007 13:16:30 +0000 http://www.greebo.net/?p=395#comment-5949 How about pushing to make the major PHP template engines XSS safe by default? Some of them are, but Smarty, in particular, isn't. Maybe it's not a "real solution" but it would help. Get it on people's radar screens. Recommend using a "safe" template engine. How about pushing to make the major PHP template engines XSS safe by default? Some of them are, but Smarty, in particular, isn’t. Maybe it’s not a “real solution” but it would help. Get it on people’s radar screens. Recommend using a “safe” template engine.

]]> By: vanderaj http://www.greebo.net/2007/01/28/the-usual-suspects-and-what-to-do-about-them/#comment-5924 vanderaj Mon, 29 Jan 2007 08:22:52 +0000 http://www.greebo.net/?p=395#comment-5924 Sam, It's ironic that on a post about XSS and how hard it is to be right whilst still allowing safe output encoding that even a mature app like WordPress 2.1 still has problems encoding user output in a recognizable and safe way. Andrew Sam,

It’s ironic that on a post about XSS and how hard it is to be right whilst still allowing safe output encoding that even a mature app like WordPress 2.1 still has problems encoding user output in a recognizable and safe way.

Andrew

]]> By: Sam http://www.greebo.net/2007/01/28/the-usual-suspects-and-what-to-do-about-them/#comment-5922 Sam Mon, 29 Jan 2007 04:14:08 +0000 http://www.greebo.net/?p=395#comment-5922 Dang. I was hoping WordPress would just encode the pointy brackets. What's missing from the above is "${person.name} instead of [c:out]". And "disable it entirely with [scripting-invalid]." Dang. I was hoping WordPress would just encode the pointy brackets. What’s missing from the above is “${person.name} instead of [c:out]“. And “disable it entirely with [scripting-invalid].”

]]> By: Sam http://www.greebo.net/2007/01/28/the-usual-suspects-and-what-to-do-about-them/#comment-5921 Sam Mon, 29 Jan 2007 04:10:49 +0000 http://www.greebo.net/?p=395#comment-5921 Using JSTL or JSF, proper encoding may be the default, but in JSTL that's only if you use consistently. Considering that it's far easier to just use straight EL (${person.name} instead of ), doing the right thing does take a bit of extra work, enough to make developers grumble. And the EL-only alternative, ${fn:escapeXml(person.name)} is just no fun at all. So it isn't as much a default as we'd hope. I still regularly face resistance from coworkers to using the longer forms, even from experienced developers and contractors who I expect to know better. Maybe this is nitpicking, because I still think your basic premise is correct. I like the idea of issuing warnings when scriptlets are used. You can even disable it entirely with . I'd like to do the same for bare EL -- or better yet, make encoding on bare EL the default. Using JSTL or JSF, proper encoding may be the default, but in JSTL that’s only if you use consistently. Considering that it’s far easier to just use straight EL (${person.name} instead of ), doing the right thing does take a bit of extra work, enough to make developers grumble. And the EL-only alternative, ${fn:escapeXml(person.name)} is just no fun at all. So it isn’t as much a default as we’d hope. I still regularly face resistance from coworkers to using the longer forms, even from experienced developers and contractors who I expect to know better.

Maybe this is nitpicking, because I still think your basic premise is correct.

I like the idea of issuing warnings when scriptlets are used. You can even disable it entirely with . I’d like to do the same for bare EL — or better yet, make encoding on bare EL the default.

]]>