xss prevention (yet again, right? ;d)

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

xss prevention (yet again, right? ;d)

Post by s.dot »

I think my XSS prevention measures are pretty good, at the moment. I allow users to enter HTML directly, and have that filtered by a class that feyd wrote me, and then an additional filter that I wrote myself (mostly just checks for flash files).

I have thought about replacing all links that they enter with a redirect link handled by the server.

http://www.somedomain.com/someimage.jpg would be come..
http://www.mydomain.com/redirect.php?li ... eimage.jpg

This would force anything potentially malicious to be handled by the server.

Are there any cons to doing this?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Overall it should be fine. You could add click tracking amongst other things to the redirector. If you want to prevent users from removing the click tracking then you would need to change the "link" to an ID of some fashion so it can't easily be transformed into an actual URL without requesting it from the server.
Post Reply