Penetration Testing mailing list archives
XSS bypassing htmlentities() function
From: "serge gorbunov" <thermit () rogers com>
Date: Mon, 2 Nov 2009 20:31:44 -0500
Hello everyone, I'm doing a penetration testing of php app. I know that before user data is echoed to the page it goes through htmlentities() php function like this: $filtered_data = htmlentities( $data ) ; $data is some user data that was entered earlier. Then $ filtered_data is echoed sometime later. Is there a way inject code into this application, so later when it gets echoed back to the users my code gets executed? Thanks, Serge ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- UCSniff 3.0 Released Arjun Sambamoorthy (Nov 02)
- XSS bypassing htmlentities() function serge gorbunov (Nov 04)
- Re: UCSniff 3.0 Released Joshua Wright (Nov 04)