This is an extension of my earlier XSS question.
Assuming that there isn't a Regex strong enough to guarantee XSS saftey for user entered URLs I'm looking at using a redirect.
(Although if you do have one please add it under the other question)
We have user input web addresses, so:
stackoverflow.com
They want a link to appear for other users, so:
<a href="http://stackoverflow.com">stackoverflow.com</a>
To reduce the risk of hacking I'm planning to use a warning page, so the link becomes:
<a href="leavingSite.aspx?linkid=1234" target="_blank">stackoverflow.com</a>
Then on that page there will be a warning message and a plain link to the original link:
<a href="javascript:alert('oh noes! xss!');">Following this link at your own risk!</a>
As we use a lot of Ajax I want to make that leaving-site page a walled garden of sorts, ideally by essentially logging the user out in that page only. I want them to stay logged in on the original page.
Then if someone does get past the santisation Regex they can't access anything as the duped user.
Anyone know how to do this? Is it possible to log out one window/tab without logging them all out? We support IE & FX, but ideally a solution would work in Opera/Chrome/Safari too.
-
It's not possible to log someone out in just one tab / window.
Keith : That's pretty much what I suspect. Any way to restrict this page at all then?From Greg -
restrict cookies to www.example.com and have the forwarding page at links.example.com
From Erik Johansson
0 comments:
Post a Comment