Hello, there are multiple ways to insert HTML and scripting into the validator... * Simple querystring: http://validator.w3.org/check?uri=http://<script>alert("boo")</script> * Character encoding HTTP header: Returning "Content-type: text/html; charset=<script>...</script>" http://validator.w3.org/check?uri=http://tom.me.uk/2002/9/val.asp * Server HTTP header - "Server: <script>...</script>" * Content-length HTTP Header - "Content-length: <script>...</script>" All of these should have the HTML escaped before outputting. Cheers -- Tom Gilder http://tom.me.uk/Received on Monday, 30 September 2002 10:13:41 UTC
This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 14:17:34 UTC