André Warnier wrote:
Ok i will explain. Consider that we have an html form and a php script that handles the posted data. The scenario is that the bad guy writes in the form for example "<script> ... bad javascript code </script>" and post thisantoine wrote:Hello , Consider that i have an html , javascript , php site.My goal is to somehow modify the html , javascript code before php module does its stuff. It is part of a javascript injection defense system. So i want to mark benign javascript beforephp module adds bad javascript code.I first thought that an output filter is the solution but i suppose that in the phase of the output filter the chunks of data will be already produced after php code generation ( is that right ) ??Yes So the attackApart from the yes above, I cannot add much, because it is not very clear to me what you are trying to achieve, or what you are trying to protect against. You seem to say that it is the php which inserts the "bad" javascript code. But the php runs on your server, so that seems to be the right point to protect, and not later try to undo what it might have done. Or do you let any user load its own php stuff onto your server, and then just run it ?is done and i will mark as benign that bad javascript injection code.Is there a way to cope with this by adding a module-filter to apache and not modify php module code ??
so when the client get the page we have an attack. So i want to separate the static javascript code from the dynamic one.I want a filter to process the page before any dynamic content is inserted for example by php module.
---------------------------------------------------------------------The official User-To-User support forum of the Apache HTTP Server Project.See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|