canmove, Confirmed users, Bureaucrats and Sysops emeriti
2,776
edits
Security/Features/XSS Filter: Difference between revisions
no edit summary
No edit summary |
No edit summary |
||
| Line 27: | Line 27: | ||
* The filter should not rely on user input. A false positive cannot be considered a "minor annoyance" just because the user can be shown a dialog to decide whether to actually block the script. In fact, if the filter is compatible enough, it should not be easily disabled. | * The filter should not rely on user input. A false positive cannot be considered a "minor annoyance" just because the user can be shown a dialog to decide whether to actually block the script. In fact, if the filter is compatible enough, it should not be easily disabled. | ||
* The filter should not introduce new vulnerabilities in existing websites (i.e. universal XSS a la IE8). | * The filter should not introduce new vulnerabilities in existing websites (i.e. universal XSS a la IE8). | ||
|Feature non-goals=* This feature will not stop persistent or injected XSS attacks (only reflected ones). | |Feature non-goals=* This feature will not stop persistent or injected XSS attacks (only reflected ones). | ||
* The filter will not be able to deal with complex string transformations employed by web applications. In this case, it will fail to recognize that the script was provided by an input parameter and allow it to run. | * The filter will not be able to deal with complex string transformations employed by web applications. In this case, it will fail to recognize that the script was provided by an input parameter and allow it to run. | ||
}} | }} | ||
{{FeatureInfo | {{FeatureInfo | ||
|Feature priority=Unprioritized | |Feature priority=Unprioritized | ||
|Feature roadmap=Security | |||
}} | }} | ||
{{FeatureTeamStatus | {{FeatureTeamStatus | ||