|
From: | Danius Michaelides |
Subject: | Re: [myexperiment-hackers] [2394] trunk/app: Fix for case 98981 - javascript injection in Pack name, reported by Jits. |
Date: | Wed, 28 Apr 2010 15:02:02 +0100 (BST) |
User-agent: | Alpine 2.00 (LRH 1167 2008-08-23) |
I've just tested this on the services branch and it does still render the HTML (even though the source has the HTML encoded text). Does this mean that any HTML escaped content in the tooltips will still be rendered by the browser, thus allowing for any script injection regardless of it being html encoded? Or do we need to double html encode stuff? Or maybe the right thing to do here is use the white_list method to explicitly get rid of any <script> tags etc?
In the tooltip case user content ends up being doubly encoded: - any user content should be html encoded - any html used in a tooltip should also be encoded Could white list things, yes, but I'd say you'd be safer html escaping as well. Danius
[Prev in Thread] | Current Thread | [Next in Thread] |