Re: Security Markup from Toby Inkster on 2006-08-21 (www-html@w3.org from August 2006)

From: Toby Inkster <tobyink@goddamn.co.uk>
Date: Mon, 21 Aug 2006 07:05:53 +0100
To: Ahmed Saad <ahmed.lists@gmail.com>, www-html@w3.org
Message-Id: <1156140353.2368.3.camel@ophelia.g5n.co.uk>

On Sat, 2006-08-19 at 16:25 +0300, Ahmed Saad wrote:
> <div id="comment123"  nocode="true">
> <script type="text/javascript">alert('This piece of code will not be
> executed even though it evaded the server-side filter');</script>
> </div>

But what happens if the attacker enters the following as a comment:

	</div>
	<script type="text/javascript">alert('This piece of code 
	will not be executed even though it evaded the server-side
	filter');</script>

Blammo! -- as Batman might say -- "nocode" attribute circumvented.

The only reliable way to deal with this is server side, by transforming
'<' to '&lt;' and so forth.

-- 
Toby Inkster <tobyink@goddamn.co.uk>

Received on Monday, 21 August 2006 06:04:26 UTC