[Gllug] unicode and cross site scripting vulnerabilities
Sean Burlington
gllug at uncertainty.org.uk
Tue Feb 26 13:07:21 UTC 2002
Hi All,
I would need to make some dynamic web sites more suitable for
internationalisation ...
but I also want to make sure that they are safe from cross site scripting
vulnerabilities ...
one way I sometimes make data safe is to replace or delete all chars except
say a-zA-Z0-9
this means that I can be really sure that no awkward chars like quotes or <>
will hang around to break things.
As I understand it unicode complicates this situation in two ways...
1) chars like 'the chinese charecter for water' should be allowed
2) there are several fifferent ways of specifying (say) the quote char
So. How do I get around this ?
Do I have to find out all the ways of representing any unsafe chars, and
replace/encode these?
I know I'm not the first person to deal with this - but I don't seem to be
able to find any good resources for this issue.
any advice/pointers much appreciated
(php/perl/java/html/css/javascript/mysql/pgsql...)
--
Sean
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list