[Full-Disclosure] [anti-XSS]about CERT/CC:malicious_code_mitigation

[Valdis.Kletnieks at vt.edu]

On Sat, 07 Aug 2004 06:25:00 -0000, bitlance winter said:

> #! The first function takes the negative approach.
> #! Use a list of bad characters to filter the data
> sub FilterNeg {
>     local( $fd ) = @_;
>     $fd =~ s/[\<\>\"\'\%\;\)\(\&\+]//g;
>     return( $fd ) ;
> }

*BZZT!!* Wrong.  Don't do this in production code, because...

> I have understood that bad characters are
> < > " ' % ; ) ( & +

If it turns out that * (asterisk) is a "bad character", you're screwed.

If it turns out that *any other* character is "bad", you're screwed.

The *proper* way to do the filtering is to *remove* *all* characters
not known to be good.  Something like:

$fd =~ s/[^-_ a-zA-Z0-9]//g;

Only pass alphabetic, numeric, space, hyphen, and underscore.  Add other
characters *only* if you can show they are *not* a problem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040809/642c19f3/attachment.bin