It??™s
good practice to try them all just in case some characters and strings are disallowed.
USERINPUT8 is also open to similar HTML injection strings. Here??™s a favorite that
uses an event handler:
notThere' onerror='alert(1)
Preventing XSS is typically accomplished by escaping or encoding potentially
malicious characters. For instance, if a user inputs into a
text field, the server may respond with the following escaped string:
<script>alert(1)</script>
Depending on where the escaped string is located, the string would appear as though
it were the original and will not be executed. Escaping is much more complex and is
thoroughly discussed in the countermeasure, ???Preventing Cross-Site Scripting,??? later in
this chapter. Most escaping routines either forget to escape potentially malicious characters
and strings, or they escape with the wrong encoding. For example, USERINPUT9 is
interesting because on* event handlers interpret HTML entity encodings as ASCII, so
one could mount the same attacks with the following two strings:
x');alert(1);
and
x');alert(1)
Chapter 2: Cross-Site Scripting 41
Finally, USERINPUT10 can be exploited with event handlers and breaking out of the
input tag.
Pages:
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115