Re: Security Markup

On Sat, 2006-08-19 at 16:25 +0300, Ahmed Saad wrote:
> <div id="comment123"  nocode="true">
> <script type="text/javascript">alert('This piece of code will not be
> executed even though it evaded the server-side filter');</script>
> </div>

But what happens if the attacker enters the following as a comment:

	</div>
	<script type="text/javascript">alert('This piece of code 
	will not be executed even though it evaded the server-side
	filter');</script>

Blammo! -- as Batman might say -- "nocode" attribute circumvented.

The only reliable way to deal with this is server side, by transforming
'<' to '&lt;' and so forth.

-- 
Toby Inkster <tobyink@goddamn.co.uk>

Received on Monday, 21 August 2006 06:04:26 UTC