- From: Toby Inkster <tobyink@goddamn.co.uk>
- Date: Mon, 21 Aug 2006 07:05:53 +0100
- To: Ahmed Saad <ahmed.lists@gmail.com>, www-html@w3.org
On Sat, 2006-08-19 at 16:25 +0300, Ahmed Saad wrote: > <div id="comment123" nocode="true"> > <script type="text/javascript">alert('This piece of code will not be > executed even though it evaded the server-side filter');</script> > </div> But what happens if the attacker enters the following as a comment: </div> <script type="text/javascript">alert('This piece of code will not be executed even though it evaded the server-side filter');</script> Blammo! -- as Batman might say -- "nocode" attribute circumvented. The only reliable way to deal with this is server side, by transforming '<' to '<' and so forth. -- Toby Inkster <tobyink@goddamn.co.uk>
Received on Monday, 21 August 2006 06:04:26 UTC