-3

On my site, if I were to block <script> from the url, could this prevent some cases of XSS? Any way someone could bypass that?

schroeder
  • 129,372
  • 55
  • 299
  • 340
bhatSuhass
  • 1
  • 3
    I think you have some misunderstandings here. I assume you mean to filter out the string <script> from the URL parameter strings, like a query parameter. Have you done any research into how to prevent XSS? You will find that blacklisting strings in a query parameter is not the recommended way to address this. – schroeder May 11 '15 at 19:39
  • 2
    possible duplicate of Can anybody explain XSS? – Anonymous May 11 '15 at 21:08

1 Answers1

1

Yes, it can be bypassed. First, many filters that attempt to remove <script> tags do so in a way that is easily defeated. For example, they may improperly handle input like <scr<script>ipt>.

But even when implemented "properly", that is not sufficient, because <script> tags are not required to execute Javascript on a page: event handlers, script URIs, and data URIs can be used as well (note that I am unsure about browser support for the latter two). See OWASP's XSS page for more information.

And in DOM-based XSS, you may not be worried about HTML at all, instead stuffing Javascript into an execution sink.

Brian H
  • 11
  • 1