While looking over the long list of vulnerabilities that were reported to us today - one of them came across as slightly amusing, but put a new spin on the idea of whitelisting.

The product, which will remain nameless, is designed to help produce standards compliant HTML and also help prevent Cross Site Scripting. It does this using a whitelist to allow only standards compliant HTML out.

So why did I find this slightly amusing? Because the product itself was (they have since released an update) vulnerable to a Cross Site Scripting attack.

Now, I am not trying to say that this product is bad - many good products have had a vulnerability or two during their life. What I am trying to say is probably something you already know; whitelisting does not always protect you.

Don't get me wrong, I think whitelisting is a good idea, however it will only protect you against what you are using the white list for. Again this is not rocket science. It is just one more thing to keep in mind when using a whitelist for input validation or sanitisation.

Richard

This actually reminded me of a picture we used during our Unix Web Server Security course (see right). It was originally used for network firewall rules, but applies just as well here.