[Mozile] Mozile 0.8 Save System, Cross Site Scripting
James A. Overton
james at overton.ca
Tue Jun 27 12:58:47 EDT 2006
I've got a basic save system working for Mozile 0.8. Features include:
- Clean-up and formatting functions.
- Default method: dump source to a new window.
- Basic HTTP POST method.
- Warning before leaving the page if there are changes which haven't
been saved.
See http://mozile.mozdev.org/0.8/doc/html/ch01s03.html#SavingChanges
Stuff left to do:
- Support other save methods, like save to local file, WebDAV, and
send via email.
- Interface for picking how the document is saved and setting saveAs
information.
- Implement Max's nice feedback system for POST. See http://
mozile.mozdev.org/0.6/docs/WWW/devel/MozilePOSTSave.html
I've included a warning in the 0.8 documentation about cross site
scripting (XSS) security vulnerabilities, a short explanation, and
some links. I'd like to be able to recommend a method for sanitizing
HTML that Mozile sends to the server. I've looked, but I haven't been
able to find a nice convenient stand-alone system. Also good would be
a set of regular expressions, vouched for by a respected source on
security issues, that could be implemented in any language. This is a
good start: http://blog.bitflux.ch/wiki/XSS_Prevention
I hope I'm just missing something obvious, and there's a silver
bullet out there somewhere. :^)
Any suggestions for resources and tools we can recommend to users
for sanitizing the HTML they get from Mozile?
Thanks,
James
More information about the Mozile
mailing list