[Catalyst] Re: {OT] protecting against attacks with multilingual
input
A. Pagaltzis
pagaltzis at gmx.de
Tue Dec 5 21:30:02 GMT 2006
Hi Christopher,
* Christopher H. Laco <claco at chrislaco.com> [2006-12-05 22:20]:
> Jonathan Rockway wrote:
> > No, you can inject plenty of bad code without <. You need to
> > escape &, <, >, ", and '.
> >
> > Otherwise, consider
> >
> > <footag bar="[% baz %]">
> >
> > with
> >
> > baz = " onload="alert('hello!').
> >
> > This gets rendered as:
> >
> > <footag bar="" onload="alert('hello!'">
> >
> > Oops.
> >
>
> I call BS. Anyone who does:
>
> <footag bar="[% baz %]">
>
> instead of:
>
> <footag bar="[% HTML.encode(baz) %]">
>
> in that case deserves what they get*.
Err, that was precisely the point.
The latter escapes <, >, &, " and '.
Regards,
--
Aristotle Pagaltzis // <http://plasmasturm.org/>
More information about the Catalyst
mailing list