On my site, if I were to block <script> from the url, could this prevent some cases of XSS? Any way someone could bypass that?
Asked
Active
Viewed 687 times
-3
schroeder
- 123,438
- 55
- 284
- 319
-
3I think you have some misunderstandings here. I assume you mean to filter out the string ` – schroeder May 11 '15 at 19:39
-
2possible duplicate of [Can anybody explain XSS?](http://security.stackexchange.com/questions/1368/can-anybody-explain-xss) – Anonymous May 11 '15 at 21:08
1 Answers
1
Yes, it can be bypassed. First, many filters that attempt to remove <script> tags do so in a way that is easily defeated. For example, they may improperly handle input like <scr<script>ipt>.
But even when implemented "properly", that is not sufficient, because <script> tags are not required to execute Javascript on a page: event handlers, script URIs, and data URIs can be used as well (note that I am unsure about browser support for the latter two). See OWASP's XSS page for more information.
And in DOM-based XSS, you may not be worried about HTML at all, instead stuffing Javascript into an execution sink.
Brian H
- 11
- 1