> -----Original Message----- > From: Ulf Harnhammar [mailto:ulfh@update.uu.se] > Sent: Sunday, 10 November 2002 2:22 PM > To: Justin King > Subject: Re: A technique to mitigate cookie-stealing XSS attacks > > On Thu, 7 Nov 2002, Justin King wrote: > > > I would be very interested in major browsers supporting a <dead> tag > with an > > optional parameter to be a hash of the data between the opening and > closing > > dead tag. This tag would indicate that no "live" elements of HTML be > > supported (e.g., JavaScript, VBScript, embed, object). > > I'm not sure if that's the best solution. Lots of code out there do much > less filtering than it should, so there will probably be a way to include > a </dead> tag and then use all the usual XSS tricks. I'm not sure it's the best solution either: how many of you have used code such as <a href='javascript:...'> and so on ? It's not going to be as easy as it looks - of course if you don't use javascript AT ALL then sure, but many sites use javascript rollovers and so on. We need a more effective response than this. Since javascript (and other client side scripting technologies) are becoming more popular and functional, it seems like imho the 'best' alternative is the cookie-blocking approach. This would stop the *effect* of XSS, much the same as blocking user privileges doesn't stop them running malware but prevents them from having an effect. jasonk > // Ulf Harnhammar > VSU Security > ulfh@update.uu.se
