When thinking about security, validation and filtering data, we have two options: either decide what to allow or what to prohibit.
On the one hand, you can use a filter to prevent XSS attacks that are based on finding a regular expression searching javascript code (either script tags or attributes onload, onclick, onmouseover...). This would be blacklist that is, put code that is unusable.
On the other hand, you can grant HTML tags type b, i, u... and eliminate all the other tags. That would be whitelist, which is, limit the user what it can do.
What is preferable?
Using a blacklist you have to think of every possible "attacks" which may accrue. This is a risk, since if we attacker thinks a method which we didn't think, we would have a huge problem. But if instead, we use a whitelist, the user could access only if he fills our standard permitted, that should be much less probable to let an attack succeed.
The whitelist disadvantage, on the other hand, is that we can filter or not to allow some information that is really valid.
Then, with a blacklist we most likely to be victims of attacks by malicious hackers, while using a whitelist can leave users without the possibility of correct entries.
Personally, I think the second option the best, because its consequences are less severe.
Subscribe to:
Post Comments (Atom)
1 comment:
Post a Comment