Page 1 of 1

xss prevention (yet again, right? ;d)

Posted: Sun Sep 24, 2006 4:21 am
by s.dot
I think my XSS prevention measures are pretty good, at the moment. I allow users to enter HTML directly, and have that filtered by a class that feyd wrote me, and then an additional filter that I wrote myself (mostly just checks for flash files).

I have thought about replacing all links that they enter with a redirect link handled by the server.

http://www.somedomain.com/someimage.jpg would be come..
http://www.mydomain.com/redirect.php?li ... eimage.jpg

This would force anything potentially malicious to be handled by the server.

Are there any cons to doing this?

Posted: Sun Sep 24, 2006 8:37 am
by feyd
Overall it should be fine. You could add click tracking amongst other things to the redirector. If you want to prevent users from removing the click tracking then you would need to change the "link" to an ID of some fashion so it can't easily be transformed into an actual URL without requesting it from the server.