Loading ...
Sorry, an error occurred while loading the content.

Cross-site scripting protection

Expand Messages
  • Ben Soares
    Hi, Are there any methods/flags/options available in Apache::ASP to help the developer protect against cross-site scripting? Any other recommendations in this
    Message 1 of 2 , Jan 30, 2004
    • 0 Attachment
      Hi,

      Are there any methods/flags/options available in Apache::ASP to help the
      developer protect against cross-site scripting?

      Any other recommendations in this area?

      Thanks,

      Ben
      --
      Ben Soares tel: +44 (0)131-651 1238
      EDINA, Edinburgh University Data Library fax: +44 (0)131-650 3308
      Main Library Building, George Square email: ben.soares@...
      Edinburgh EH8 9LJ, Scotland, UK www: http://edina.ac.uk/

      "Hmmm, that makes no sense to me...
      But then you are very small, perhaps you're right." -- Treebeard



      ---------------------------------------------------------------------
      To unsubscribe, e-mail: asp-unsubscribe@...
      For additional commands, e-mail: asp-help@...
    • Josh Chamas
      ... Any bit of dynamic data ( i.e. data you can t trust ) rendered on your page should be escaped with HTMLEncode($data) % You can create a quick
      Message 2 of 2 , Jan 30, 2004
      • 0 Attachment
        Ben Soares wrote:
        > Hi,
        >
        > Are there any methods/flags/options available in Apache::ASP to help the
        > developer protect against cross-site scripting?
        >
        > Any other recommendations in this area?
        >

        Any bit of dynamic data ( i.e. data you can't trust ) rendered on your page
        should be escaped with

        <%= $Server->HTMLEncode($data) %>

        You can create a quick alias for that in global.asa like:

        # global.asa
        sub esc($) { $Server->HTMLEncode(shift) }

        and then call

        <%= enc($data) %>

        or you can turn it into an XMLSubs routine like:

        sub my::enc {
        my($args, $html) = @_;
        print $main::Server->HTMLEncode($html);
        }

        and then use it like:

        <my:enc><%= $data %></my:enc>

        I am sure others will have other methods they like to use for this... :-)

        Regards,

        Josh

        ________________________________________________________________
        Josh Chamas, Founder phone:925-552-0128
        Chamas Enterprises Inc. http://www.chamas.com
        NodeWorks Link Checker http://www.nodeworks.com


        ---------------------------------------------------------------------
        To unsubscribe, e-mail: asp-unsubscribe@...
        For additional commands, e-mail: asp-help@...
      Your message has been successfully submitted and would be delivered to recipients shortly.