- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Fri, 10 Mar 2006 08:21:36 +0100
* Alexey Feldgendler wrote: >This kind of attack is hard to circumvent through use of HTML cleaners >because id="addtomemories" looks like an innocent attribute, like an >anchor for navigation. Preventing such attacks by a HTML cleaner would >require either making a full list of all "forbidden" IDs, class names etc, >or imposing Draconian rules upon user-supplied content, completely >disallowing such useful attributes like id and class. A full list of all forbidden IDs would be as simple as /^acme-/ which would already be necessary to ensure conforming content. -- Bj?rn H?hrmann ? mailto:bjoern at hoehrmann.de ? http://bjoern.hoehrmann.de Weinh. Str. 22 ? Telefon: +49(0)621/4309674 ? http://www.bjoernsworld.de 68309 Mannheim ? PGP Pub. KeyID: 0xA4357E78 ? http://www.websitedev.de/
Received on Thursday, 9 March 2006 23:21:36 UTC