W3C home > Mailing lists > Public > www-validator@w3.org > September 2002

Multiple cross-site-scripting bugs

From: Tom Gilder <tom@tom.me.uk>
Date: Mon, 30 Sep 2002 15:06:04 +0100
Message-ID: <142349967.20020930150604@tom.me.uk>
To: www-validator@w3.org

Hello, there are multiple ways to insert HTML and scripting into the
validator... 

* Simple querystring:
  http://validator.w3.org/check?uri=http://<script>alert("boo")</script>

* Character encoding HTTP header:
  Returning "Content-type: text/html; charset=<script>...</script>"
  http://validator.w3.org/check?uri=http://tom.me.uk/2002/9/val.asp

* Server HTTP header - "Server: <script>...</script>"
* Content-length HTTP Header - "Content-length: <script>...</script>"

All of these should have the HTML escaped before outputting.


Cheers
-- 
Tom Gilder
http://tom.me.uk/
Received on Monday, 30 September 2002 10:13:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 25 April 2012 12:14:04 GMT