<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.26.3">
</HEAD>
<BODY>
On Wed, 2010-06-16 at 03:19 +0200, gabmeyer@westweb.at wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
Hello,
I had just this idea after reading so much about xss and code injection.
I think there is a simple solution:
1.)
I now invent an attribute called strlen=""
I append this to a <div strlen="94843">htmlcode with strlen of 94843 bytes including whitespace</div>
The browser know knows the exact position where the divtag must end.
You cannot inject some code that closes the tag before.
2.)
you can now control the code inside the div.
you can also append a second attribute called "secure" that prevents any scriptcode to run from inside the div.
Maybe this idea is not new, or does not work.
Please let me know what you think about this idea.
Christian Gabmeyer
</PRE>
</BLOCKQUOTE>
<BR>
Your strlen attribute won't solve the issue, as the server-side script that will be generating that figure has already ignored the XSS code (if it wasn't missing it, there wouldn't be a problem in the first place!)<BR>
<BR>
Second, I don't think an attribute is going to work to prevent script running. What if you had your own script event handlers there? Also, what about attacks which will leave your tags closed off and open new ones?<BR>
<BR>
Person inserts their name as '</a><a href="badsite">Bob</a>' (without the single quotes) which gets shoved into a database someplace and then output later on a page inside a link tag to their profile page (for example), so instead of <a href="profile">Bob</a>, you get <a href="profile"></a><a href="badsite">Bob</a>.<BR>
<BR>
Very simple example, where no script is being run, but still bad code. This is an issue which needs more attention on the server-side of things I feel.<BR>
<BR>
<TABLE CELLSPACING="0" CELLPADDING="0" WIDTH="100%">
<TR>
<TD>
Thanks,<BR>
Ash<BR>
<A HREF="http://www.ashleysheridan.co.uk">http://www.ashleysheridan.co.uk</A><BR>
<BR>
<BR>
</TD>
</TR>
</TABLE>
</BODY>
</HTML>