|
From: | Jiten Bhagat |
Subject: | Re: [myexperiment-hackers] [2394] trunk/app: Fix for case 98981 - javascript injection in Pack name, reported by Jits. |
Date: | Wed, 28 Apr 2010 15:17:49 +0100 |
User-agent: | Thunderbird 2.0.0.24 (Windows/20100228) |
Danius Michaelides wrote: >> I've just tested this on the services branch and it does still render >> the HTML (even though the source has the HTML encoded text). Does this >> mean that any HTML escaped content in the tooltips will still be >> rendered by the browser, thus allowing for any script injection >> regardless of it being html encoded? Or do we need to double html encode >> stuff? Or maybe the right thing to do here is use the white_list method >> to explicitly get rid of any <script> tags etc? > > In the tooltip case user content ends up being doubly encoded: > - any user content should be html encoded > - any html used in a tooltip should also be encoded > > Could white list things, yes, but I'd say you'd be safer html escaping > as well. OK, fair enough. Jits > > Danius > > > _______________________________________________ > myexperiment-hackers mailing list > address@hidden > http://lists.nongnu.org/mailman/listinfo/myexperiment-hackers
[Prev in Thread] | Current Thread | [Next in Thread] |