Amazon Coupons

Ford's next-gen hybrid is aimed squarely at the Toyota Camry Hybrid, and it's one car that just might help Ford escape the implosion of Detroit.

Make winter a wonderland with these high-end snow toys.

It's almost cruel of us to post about the Schöpfer Oculus, a 250-foot luxury yacht inspired by an oceanic fish.

With room for 12 people to comfortably cruise at 25 knots, the rear of the Oculus remains open like a gigantic jaw that's eating the passengers alive in luxury. And what appears to be a cleverly-placed window fills in an apt spot for an eye.

Inside, the ceilings reach an impressive 12-feet (hey, those are higher than where I live every day!) while the entire boat is still described as a "low rider," featuring retractable panels that protect the decks from swells. Wait, why are we even bothering to explain all of this to you? You can't afford it. [Schopfer Yachts via DVICE]

Joe Walker

If you want to protect yourself from a XSS attack, what characters should you escape? I've seen 2 recommendations:

• ', ", <, > and & should be converted to ', ", <, >, &
• Convert anything that isn't ASCII alphanumeric to &#xx;

I've seen the second recommended more and more recently. Which is best?

The argument for escaping all non-ASCII alphanumeric

It's a known security tenet that whitelisting is safer than blacklisting. If you're just escaping ', ", <, > and & then you're blacklisting, which isn't as safe as whitelisting.

There are some practical examples of how this can play out -

(I'm using $ to represent the injection point. This would probably crop up in a template something like this: )

If all the escape() function does is to escape ', ", <, > and &, then what if the user entered a data: URL? You could end up with the following output:

test

Which in case you can't do base64 in your head is equivalent to this:

test

Clearly this is bad - we've let a user XSS us even though we are filtering for XSS. There are many more examples that are similar.

The argument for escaping only ', ", <, > and &

The bad news is that more filtering does not help. If we enhance our escape function to encode every non-alpha, then we would get the following output:

test

Here's the bad news - the above works. (Look: test (if this script gets into your RSS aggregator, then you need a new RSS aggregator.))

Adding the extra filtering has had the following effect:

• It's hidden the hole, so now we're less likely to notice it, and fall in.
• It's wasted bandwidth

So how do we keep ourselves clear of XSS attacks?

The solution is to understand about insertion points.

The following insertion points, are ones that I believe are safe if ', ", <, > and & are escaped:

• $
  (Where div could be p, h*, li, etc - things expecting textual content)
• (i.e. somewhere else that expects textual content)
• (needs different escaping rules)

I think it's likely that virtually any other insertion point is likely to be dangerous. Some examples:

• (no amount of escaping will protect you, prepare to die)
• $> (there are countless events we could latch into, including several non-standard, hard to find ones)
• ... (JavaScript pops up in CSS in many places like width:expression(script_here))
• ... (The example we used above)
• (For similar reasons)
• etc.

The key it to understand the environment into which we are allowing injection. The trend for separating content, style and action into separate files is good because it more clearly defines the environment, but that doesn't stop HTML from being able to embed CSS.

I once saw some code that was JSP containing Java containing HTML containing CSS and JavaScript containing SQL all on one line. An environment so confused that it contained it's very own security hole built right in.

Filtering in DWR

DWR version 3 is nearly cooked, and our escaping functions use the simpler escaping system of just escaping ', ", <, > and &. If anyone knows of any attack that a broader filtering system would protect people from, then please comment.

If you want to protect yourself from a XSS attack, what characters should you escape? I've seen 2 recommendations:

• ', ", <, > and & should be converted to ', ", <, >, &
• Convert anything that isn't ASCII alphanumeric to &#xx;

I've seen the second recommended more and more recently. Which is best?

The argument for escaping all non-ASCII alphanumeric

It's a known security tenet that whitelisting is safer than blacklisting. If you're just escaping ', ", <, > and & then you're blacklisting, which isn't as safe as whitelisting.

There are some practical examples of how this can play out -

(I'm using $ to represent the injection point. This would probably crop up in a template something like this: )

If all the escape() function does is to escape ', ", <, > and &, then what if the user entered a data: URL? You could end up with the following output:

test

Which in case you can't do base64 in your head is equivalent to this:

test

Clearly this is bad - we've let a user XSS us even though we are filtering for XSS. There are many more examples that are similar.

The argument for escaping only ', ", <, > and &

The bad news is that more filtering does not help. If we enhance our escape function to encode every non-alpha, then we would get the following output:

test

Here's the bad news - the above works. (Look: test (if this script gets into your RSS aggregator, then you need a new RSS aggregator.))

Adding the extra filtering has had the following effect:

• It's hidden the hole, so now we're less likely to notice it, and fall in.
• It's wasted bandwidth

So how do we keep ourselves clear of XSS attacks?

The solution is to understand about insertion points.

The following insertion points, are ones that I believe are safe if ', ", <, > and & are escaped:

• $
  (Where div could be p, h*, li, etc - things expecting textual content)
• (i.e. somewhere else that expects textual content)
• (needs different escaping rules)

I think it's likely that virtually any other insertion point is likely to be dangerous. Some examples:

• (no amount of escaping will protect you, prepare to die)
• $> (there are countless events we could latch into, including several non-standard, hard to find ones)
• ... (JavaScript pops up in CSS in many places like width:expression(script_here))
• ... (The example we used above)
• (For similar reasons)
• etc.

The key it to understand the environment into which we are allowing injection. The trend for separating content, style and action into separate files is good because it more clearly defines the environment, but that doesn't stop HTML from being able to embed CSS.

I once saw some code that was JSP containing Java containing HTML containing CSS and JavaScript containing SQL all on one line. An environment so confused that it contained it's very own security hole built right in.

Filtering in DWR

DWR version 3 is nearly cooked, and our escaping functions use the simpler escaping system of just escaping ', ", <, > and &. If anyone knows of any attack that a broader filtering system would protect people from, then please comment.