- From: Olivier Thereaux <ot@w3.org>
- Date: Fri, 4 Oct 2002 13:12:03 +0900
- To: Tom Gilder <tom@tom.me.uk>
- Cc: www-validator@w3.org
Hi Tom, thanks a lot for this report. A few comments inline.
On Monday, Sep 30, 2002, at 23:06 Asia/Tokyo, Tom Gilder wrote:
>
> Hello, there are multiple ways to insert HTML and scripting into the
> validator...
Cross site scripting vulnerabilities seem to be trendy these days :)
> * Simple querystring:
>
> http://validator.w3.org/check?uri=http://<script>alert("boo")</script>
Yes, we were aware of this one, and it's fixed in the development
version. It should be released fairly soon, and we'll encourage people
running a local validator to upgrade.
> * Character encoding HTTP header:
> Returning "Content-type: text/html; charset=<script>...</script>"
> http://validator.w3.org/check?uri=http://tom.me.uk/2002/9/val.asp
Oh, that's a clever one. Ugly, but clever. It seems that this problem
exists in the dev version, too.
> * Server HTTP header - "Server: <script>...</script>"
> * Content-length HTTP Header - "Content-length: <script>...</script>"
I'm not able to test it with the development version of the validator
now. Can you try with validator.w3.org:8001?
If you can't, no problem, we will try later.
> All of these should have the HTML escaped before outputting.
We'll try to address all this during the beta test period for the new
version, due soon.
Thanks again, Tom.
--
Olivier Thereaux - W3C
http://www.w3.org/People/olivier | http://yoda.zoy.org
Received on Friday, 4 October 2002 00:12:18 UTC