W3C home > Mailing lists > Public > www-validator@w3.org > October 2002

Re: Multiple cross-site-scripting bugs

From: Olivier Thereaux <ot@w3.org>
Date: Fri, 4 Oct 2002 13:12:03 +0900
Cc: www-validator@w3.org
To: Tom Gilder <tom@tom.me.uk>
Message-Id: <701C3BFA-D74F-11D6-BF9D-000393BAB03A@w3.org>

Hi Tom, thanks a lot for this report. A few comments inline.

On Monday, Sep 30, 2002, at 23:06 Asia/Tokyo, Tom Gilder wrote:

> Hello, there are multiple ways to insert HTML and scripting into the
> validator...

Cross site scripting vulnerabilities seem to be trendy these days :)

> * Simple querystring:
> http://validator.w3.org/check?uri=http://<script>alert("boo")</script>

Yes, we were aware of this one, and it's fixed in the development 
version. It should be released fairly soon, and we'll encourage people 
running a local validator to upgrade.

> * Character encoding HTTP header:
>   Returning "Content-type: text/html; charset=<script>...</script>"
>   http://validator.w3.org/check?uri=http://tom.me.uk/2002/9/val.asp

Oh, that's a clever one. Ugly, but clever. It seems that this problem 
exists in the dev version, too.

> * Server HTTP header - "Server: <script>...</script>"
> * Content-length HTTP Header - "Content-length: <script>...</script>"

I'm not able to test it with the development version of the validator 
now. Can you try with validator.w3.org:8001?
If you can't, no problem, we will try later.

> All of these should have the HTML escaped before outputting.

We'll try to address all this during the beta test period for the new 
version, due soon.

Thanks again, Tom.

Olivier Thereaux - W3C
http://www.w3.org/People/olivier | http://yoda.zoy.org
Received on Friday, 4 October 2002 00:12:18 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 14:17:34 UTC