 |
Article:
 |
|
Handling Java Web Application Input, Part 2
|
| Subject: |
Two missing points... |
| Date: |
2005-09-20 14:23:12 |
| From: |
jhannes |
|
|
|
Good article. A few things, though.
In addition to the examples you mentioned, there are a few unexpected XSS attacks. The img src-attribute can be attacked: <img src="javascript:alert('hello')"/>. The same holds for some other src-attributes (e.g style). These attacks are browser specific, but work in MSIE 6 (which is still the most used browser).
In addition, I would recommend against filtering out ";", because this is often used as a (better) alternative to "&" in URLs. This is especially handy in cases where URLs go through an unknown number of evaluations. Have you ever seen "http://www.url.com/foo?bar=baz&a=b". Not pretty (and it won't work with ;-filters anyway).
Thank you for the article series. I believe developers today really need to wise up about security, and articles like this go a long. |
|
java.net RSS Feeds
