Comments on: How dangerous is HTML injection? http://damieng.com/blog/2007/12/10/how-dangerous-is-html-injection A .NET developer in Redmond Sun, 14 Mar 2010 14:22:22 -0800 http://wordpress.org/?v=2.9.2 hourly 1 By: Podcast #58 - Blog - Stack Overflow http://damieng.com/blog/2007/12/10/how-dangerous-is-html-injection#comment-19383 Podcast #58 - Blog - Stack Overflow Thu, 18 Jun 2009 02:23:08 +0000 http://damieng.com/blog/2007/12/10/how-dangerous-is-html-injection#comment-19383 [...] always the wrong choice for a framework or API. Forget to encode some bit of user-entered data in one single stinking place in your web app, and you will be totally owned with XSS. Believe it. I know because it’s happened to us. [...] [...] always the wrong choice for a framework or API. Forget to encode some bit of user-entered data in one single stinking place in your web app, and you will be totally owned with XSS. Believe it. I know because it’s happened to us. [...]

]]> By: Thoughts on awareness of security vulnerabilities & full disclosure » DamienG http://damieng.com/blog/2007/12/10/how-dangerous-is-html-injection#comment-5672 Thoughts on awareness of security vulnerabilities & full disclosure » DamienG Thu, 20 Dec 2007 11:13:42 +0000 http://damieng.com/blog/2007/12/10/how-dangerous-is-html-injection#comment-5672 [...] use it to actually exploit sites which is a problem with full disclosure. In the end my article How dangerous is HTML injection was a much neutered version without a killer [...] [...] use it to actually exploit sites which is a problem with full disclosure. In the end my article How dangerous is HTML injection was a much neutered version without a killer [...]

]]> By: Dongyi == ?? » links for 2007-12-19 http://damieng.com/blog/2007/12/10/how-dangerous-is-html-injection#comment-5641 Dongyi == ?? » links for 2007-12-19 Wed, 19 Dec 2007 01:22:36 +0000 http://damieng.com/blog/2007/12/10/how-dangerous-is-html-injection#comment-5641 [...] How dangerous is HTML injection? » DamienG (tags: security programming injection html) [...] [...] How dangerous is HTML injection? » DamienG (tags: security programming injection html) [...]

]]> By: 5 signs your ASP.NET application may be vulnerable to HTML injection » DamienG http://damieng.com/blog/2007/12/10/how-dangerous-is-html-injection#comment-5619 5 signs your ASP.NET application may be vulnerable to HTML injection » DamienG Tue, 18 Dec 2007 01:39:10 +0000 http://damieng.com/blog/2007/12/10/how-dangerous-is-html-injection#comment-5619 [...] If you don't encode data when using any of the following methods to output to HTML your application could be compromised by unexpected HTML turning up in the page and modifying everything from formatting though to capturing and interfering with form data via remote scripts (XSS). Such vulnerabilities are incredibly dangerous. [...] [...] If you don’t encode data when using any of the following methods to output to HTML your application could be compromised by unexpected HTML turning up in the page and modifying everything from formatting though to capturing and interfering with form data via remote scripts (XSS). Such vulnerabilities are incredibly dangerous. [...]

]]> By: steve http://damieng.com/blog/2007/12/10/how-dangerous-is-html-injection#comment-5563 steve Fri, 14 Dec 2007 10:29:34 +0000 http://damieng.com/blog/2007/12/10/how-dangerous-is-html-injection#comment-5563 Oh, and if you must do it manually you can use http://commons.apache.org/lang/api-release/org/apache/commons/lang/StringEscapeUtils.html, which can escape many different purposes including HTML, Javascript and SQL. Apache Commons is one of the most 'common' pieces of util software Java coders should always be using. Oh, and if you must do it manually you can use http://commons.apache.org/lang/api-release/org/apache/commons/lang/StringEscapeUtils.html, which can escape many different purposes including HTML, Javascript and SQL. Apache Commons is one of the most ‘common’ pieces of util software Java coders should always be using.

]]> By: steve http://damieng.com/blog/2007/12/10/how-dangerous-is-html-injection#comment-5562 steve Fri, 14 Dec 2007 10:24:38 +0000 http://damieng.com/blog/2007/12/10/how-dangerous-is-html-injection#comment-5562 JSF escapes HTML by default so you don't _have_ to remember ;) You can turn it off per 'outputText' tag but it defaults, sensibly to 'true'. JSF escapes HTML by default so you don’t _have_ to remember ;) You can turn it off per ‘outputText’ tag but it defaults, sensibly to ‘true’.

]]> By: Damien Guard http://damieng.com/blog/2007/12/10/how-dangerous-is-html-injection#comment-5558 Damien Guard Fri, 14 Dec 2007 00:03:29 +0000 http://damieng.com/blog/2007/12/10/how-dangerous-is-html-injection#comment-5558 No, JSP is just as susceptible to this problem as other web languages. The reason I didn't list what to use in JSP is that it appears there is no standard built-in library function to achieve this in JSP. [)amien No, JSP is just as susceptible to this problem as other web languages. The reason I didn’t list what to use in JSP is that it appears there is no standard built-in library function to achieve this in JSP.

[)amien

]]> By: bhaarat http://damieng.com/blog/2007/12/10/how-dangerous-is-html-injection#comment-5550 bhaarat Thu, 13 Dec 2007 15:50:51 +0000 http://damieng.com/blog/2007/12/10/how-dangerous-is-html-injection#comment-5550 so people working with java/jsp's wont have these issues? so people working with java/jsp’s wont have these issues?

]]>