Bugtraq mailing list archives
Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability
From: Jon Ribbens <jon+bugtraq2 () unequivocal co uk>
Date: Fri, 16 May 2008 10:44:15 +0100
On Wed, May 14, 2008 at 05:20:52PM -0000, Tom.Donovan () acm org wrote:
It appears there is little that web servers can do to thwart this, short of changing all '+' characters to %2B. That seems excessive.
To be fair, this is what Microsoft has recommended, explicitly for the purpose of preventing XSS, for *at least* the last 6 years. The library I use does indeed encode "+" as "+".
Current thread:
- Apache Server HTML Injection and UTF-7 XSS Vulnerability lament hero (May 09)
- <Possible follow-ups>
- Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability cxib (May 10)
- Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability yos20053 (May 12)
- Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability cxib (May 12)
- Message not available
- Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability lament hero (May 15)
- Message not available
- Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability Tom . Donovan (May 15)
- Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability Jon Ribbens (May 16)
- Re: Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability yos20053 (May 17)
- Re: Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability Paul Szabo (May 19)
- Re: Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability Tim (May 19)
- Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability William A. Rowe, Jr. (May 19)
- Re: Re: Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability Tom . Donovan (May 19)