Simon Willison's Weblog: sanitizationhttp://simonwillison.net/2008-08-29T02:01:48+00:00Simon WillisonCoding Horror: Protecting Your Cookies: HttpOnly2008-08-29T02:01:48+00:002008-08-29T02:01:48+00:00https://simonwillison.net/2008/Aug/29/coding/#atom-tag
<p><strong><a href="http://www.codinghorror.com/blog/archives/001167.html">Coding Horror: Protecting Your Cookies: HttpOnly</a></strong></p>
Jeff Atwood discovers the hard way that writing an HTML sanitizer is significantly harder than you would think. HttpOnly cookies aren’t the solution though: they’re potentially useful as part of a defense in depth strategy, but fundamentally if you have an XSS hole you’re going to get 0wned, HttpOnly cookies or not. Auto-escape everything on output and be extremely cautious with things like HTML sanitizers.
<p>Tags: <a href="https://simonwillison.net/tags/html">html</a>, <a href="https://simonwillison.net/tags/httponly">httponly</a>, <a href="https://simonwillison.net/tags/javascript">javascript</a>, <a href="https://simonwillison.net/tags/jeff-atwood">jeff-atwood</a>, <a href="https://simonwillison.net/tags/sanitization">sanitization</a>, <a href="https://simonwillison.net/tags/security">security</a>, <a href="https://simonwillison.net/tags/xss">xss</a></p>
Javascript protocol fuzz results2008-06-30T15:57:36+00:002008-06-30T15:57:36+00:00https://simonwillison.net/2008/Jun/30/fuzz/#atom-tag
<p><strong><a href="http://www.thespanner.co.uk/2008/06/30/javascript-protocol-fuzz-results/">Javascript protocol fuzz results</a></strong></p>
If your HTML sanitizer uses blacklisting rather than whitelisting here are a few more weird ways of injecting javascript: in to a link that you need to worry about—but you should really switch to whitelisting http:// and https:// instead.
<p>Tags: <a href="https://simonwillison.net/tags/blacklisting">blacklisting</a>, <a href="https://simonwillison.net/tags/firefox">firefox</a>, <a href="https://simonwillison.net/tags/fuzztesting">fuzztesting</a>, <a href="https://simonwillison.net/tags/html">html</a>, <a href="https://simonwillison.net/tags/javascript">javascript</a>, <a href="https://simonwillison.net/tags/sanitization">sanitization</a>, <a href="https://simonwillison.net/tags/security">security</a>, <a href="https://simonwillison.net/tags/whitelisting">whitelisting</a></p>