On Sat, 2006-08-19 at 16:25 +0300, Ahmed Saad wrote: > <div id="comment123" nocode="true"> > <script type="text/javascript">alert('This piece of code will not be > executed even though it evaded the server-side filter');</script> > </div> But what happens if the attacker enters the following as a comment: </div> <script type="text/javascript">alert('This piece of code will not be executed even though it evaded the server-side filter');</script> Blammo! -- as Batman might say -- "nocode" attribute circumvented. The only reliable way to deal with this is server side, by transforming '<' to '<' and so forth. -- Toby Inkster <tobyink@goddamn.co.uk>Received on Monday, 21 August 2006 06:04:26 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:49:41 GMT