Posted: Wed Mar 04, 2009 5:33 am Post subject: Content Control aka Content Restriction to prevent XSS
Hi Everyone,
Im kinda new to this forum. Hope to get some of your advices regarding XSS prevention.
Im currently toying for the idea to provide a service for developers to sanitize output html to ensure that only legitimate script can be executed. The process goes like
1. Web developer determine which area require filtering and technique(whitelist, blacklist or encoding) to apply
2. Web developer create filtering rules based on the findings above
3. The rules will be saved into the database
4. Each time when filtering is required for a page, the server will retrieve the filtering rules from the database and perform filtering
5. The filtered data will be sent to the client browser.
Currently there are similar too such as
htmltidy <http://tidy.sourceforge.net/>
perl's HTML Scrubber <http://search.cpan.org/~podmaster/HTML-Scrubber-0.08/Scrubber.pm>
The service will be implemented through SOAP or REST.
This service will allow developers to create rules and implement technique such as blacklist, whitelist and encoding based on the requirements.
Now, i need to know would there be a problem such as performance issue, security issue or human issue.
Also, if you guys have came across any similar system that provides the same service.
Finally, if there is such a system what do you think will be the essential features ? such as allowing developers to validate attribute's value through regex.
Looking forward for all advices and thks in advance.
Posted: Wed Mar 04, 2009 5:36 am Post subject: Benefit
Benefits of this proposed system
o Easy to use and maintain
o Low coupling between application code and filtering code. Changes can be easily made without affecting either side.
o Can be implemented almost immediately if the developers know areas that are potentially risky
o Leverage the use of techniques such as encoding, whitelist, blacklist
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum