Welcome to WebHeadStart.org

Web Technologies

Sponsored By
Systems Insight
Web Development Consulting

WebHeadStart.org is currently in beta.
Please pardon our appearance as we work to provide you with the most comprehensive reference on today's web technologies.

Interested in advertising on WebHeadStart? Become an advertising partner today!

[WWW-HTML Mailing List Archive Home] [Messages By Thread] [Messages By Date]

Re: Security Markup

From: Toby Inkster <tobyink@goddamn.co.uk>
Date: Mon, 21 Aug 2006 07:05:53 +0100
To: Ahmed Saad <ahmed.lists@gmail.com>, www-html@w3.org
Message-Id: <1156140353.2368.3.camel@ophelia.g5n.co.uk> 

On Sat, 2006-08-19 at 16:25 +0300, Ahmed Saad wrote:
> <div id="comment123"  nocode="true">
> <script type="text/javascript">alert('This piece of code will not be
> executed even though it evaded the server-side filter');</script>
> </div>

But what happens if the attacker enters the following as a comment:

	</div>
	<script type="text/javascript">alert('This piece of code 
	will not be executed even though it evaded the server-side
	filter');</script>

Blammo! -- as Batman might say -- "nocode" attribute circumvented.

The only reliable way to deal with this is server side, by transforming
'<' to '&lt;' and so forth.

-- 
Toby Inkster <tobyink@goddamn.co.uk>
Received on Monday, 21 August 2006 06:04:26 GMT
Valid XHTML 1.0! Valid CSS! Site Map | Privacy Policy | Terms of Use | WebHeadStart.org © 2005 All Rights Reserved.