[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Is ^ a dangerous metachar?

From: "Brian Eaton" <eaton.lists@xxxxxxxxx>
Subject: Re: [WEB SECURITY] Is ^ a dangerous metachar?
Date: Mon, 8 Jan 2007 08:24:47 -0500

On 1/8/07, Haroon Meer <haroon@xxxxxxxxxxxxx> wrote:

PS.. it bears repeating that you cant know every meta-character that
could hurt you / your application and you would be better advised to
whitelist (this field accepts mixed-case alphanumeric) instead of trying
to blacklist (this filed wont accept ;'<>).


I agree with this in theory, but I find I can't often apply this
policy in practice.  The applications I work on are usually expected
to deal with non-english data supplied as unicode.  I would need to
use a white list of 65,000 characters.

Instead I try to use APIs that distinguish between code and data, e.g.
working with HTML using the DOM tree instead of using strings.  (Of
course, then you have the fun of worrying about DOM-based XSS...)

Regards,
Brian

---------------------------------------------------------------------------- The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- [WEB SECURITY] Is ^ a dangerous metachar?
  - From: Ephraim Dan
- Re: [WEB SECURITY] Is ^ a dangerous metachar?
  - From: Haroon Meer

Prev by Date: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Next by Date: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Previous by thread: Re: [WEB SECURITY] Is ^ a dangerous metachar?
Next by thread: [WEB SECURITY] Web Application Security Professionals Survey (Jan. 2007)
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site