• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Content Control aka Content Restriction to prevent XSS

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Programming and More

View previous topic :: View next topic  
Author Message
zhongde
Just Arrived
Just Arrived


Joined: 04 Mar 2009
Posts: 0


Offline

PostPosted: Wed Mar 04, 2009 5:33 am    Post subject: Content Control aka Content Restriction to prevent XSS Reply with quote

Hi Everyone,

Im kinda new to this forum. Hope to get some of your advices regarding XSS prevention.

Im currently toying for the idea to provide a service for developers to sanitize output html to ensure that only legitimate script can be executed. The process goes like

1. Web developer determine which area require filtering and technique(whitelist, blacklist or encoding) to apply

2. Web developer create filtering rules based on the findings above

3. The rules will be saved into the database

4. Each time when filtering is required for a page, the server will retrieve the filtering rules from the database and perform filtering

5. The filtered data will be sent to the client browser.


Currently there are similar too such as

htmltidy <http://tidy.sourceforge.net/>
perl's HTML Scrubber <http://search.cpan.org/~podmaster/HTML-Scrubber-0.08/Scrubber.pm>

The service will be implemented through SOAP or REST.

This service will allow developers to create rules and implement technique such as blacklist, whitelist and encoding based on the requirements.

Now, i need to know would there be a problem such as performance issue, security issue or human issue.

Also, if you guys have came across any similar system that provides the same service.

Finally, if there is such a system what do you think will be the essential features ? such as allowing developers to validate attribute's value through regex.

Looking forward for all advices and thks in advance.

Cheers =D
Back to top
View user's profile Send private message
zhongde
Just Arrived
Just Arrived


Joined: 04 Mar 2009
Posts: 0


Offline

PostPosted: Wed Mar 04, 2009 5:36 am    Post subject: Benefit Reply with quote

Benefits of this proposed system

o Easy to use and maintain
o Low coupling between application code and filtering code. Changes can be easily made without affecting either side.
o Can be implemented almost immediately if the developers know areas that are potentially risky
o Leverage the use of techniques such as encoding, whitelist, blacklist
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Programming and More All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register