[Catalyst] {OT] protecting against attacks with multilingual input
Christopher H. Laco
claco at chrislaco.com
Tue Dec 5 21:11:26 GMT 2006
Jonathan Rockway wrote:
> Nilson Santos Figueiredo Junior wrote:
>> This way, everything will probably just work, even when the user has a
>> "<" on their names or any other weird characters.
> =
> No, you can inject plenty of bad code without <. You need to escape &,
> <, >, ", and '.
> =
> Otherwise, consider
> =
> <footag bar=3D"[% baz %]">
> =
> with
> =
> baz =3D " onload=3D"alert('hello!').
> =
> This gets rendered as:
> =
> <footag bar=3D"" onload=3D"alert('hello!'">
> =
> Oops.
> =
I call BS. Anyone who does:
<footag bar=3D"[% baz %]">
instead of:
<footag bar=3D"[% HTML.encode(baz) %]">
in that case deserves what they get*.
*Yes, it depends on where $baz is getting set, who sets, it, and what it
contains.
-=3DChris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
Url : http://lists.scsys.co.uk/pipermail/catalyst/attachments/20061205/207a=
dcb7/signature.pgp
More information about the Catalyst
mailing list