WebApp Sec mailing list archives
Re: whitelisting HTML tags
From: Richard Moore <rich () westpoint ltd uk>
Date: Wed, 02 Nov 2005 15:30:39 +0000
Thomas Chiverton wrote:
On Wednesday 02 November 2005 15:17, you said:Can you simply limit your input to character markup tags like <b>, <i> etc?No. IE allows <b style="expression(alert(cookies.password))"> type attacks, iirc.
Sure, but you don't need to support any attributes at all if the character markup tags themselves provide sufficient flexibility. Rich. -- Richard Moore, Principal Software Engineer, Westpoint Ltd, Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England Tel: +44 161 237 1028 Fax: +44 161 237 1031
Current thread:
- whitelisting HTML tags Jeff Robertson (Nov 02)
- Re: whitelisting HTML tags Richard Moore (Nov 02)
- Message not available
- Re: whitelisting HTML tags Richard Moore (Nov 02)
- Message not available
- Re: whitelisting HTML tags Richard Moore (Nov 02)
- Re: whitelisting HTML tags Tomek Perlak (Nov 02)
- Re: whitelisting HTML tags Sverre H. Huseby (Nov 03)
- Re: whitelisting HTML tags bugtraq (Nov 03)
- <Possible follow-ups>
- RE: whitelisting HTML tags Jeff Robertson (Nov 02)
- Re: whitelisting HTML tags Simon Cornelius P. Umacob (Nov 03)
- RE: whitelisting HTML tags RSnake (Nov 03)
- Re: whitelisting HTML tags Tim (Nov 03)
- Re: whitelisting HTML tags Adam Shostack (Nov 04)
- Message not available
- Re: whitelisting HTML tags Adam Shostack (Nov 07)
- RE: whitelisting HTML tags Tim Hollebeek (Nov 07)