WebApp Sec mailing list archives
Re: AppSec FAQ at OWASP
From: "Laurian Gridinoc" <laur () gd ro>
Date: Fri, 30 Jan 2004 06:37:06 -0000
I would like to know that how you deal with the false positive?In the case of " <img src= "javascript: preview(....)> or <img src="javascript:window.close()>..etc..etc.. If you escape the "(" and ")" that means you render out the harmless Javascript too.Omarjan Ismail
I would say that using unregistered schemes as 'javascript:' in 'src' or 'href' attributes is bad design.
If you want to bind javascript to an element, use events. Cheers, Laurian Gridinoc Chief Developer GRAPEFRUIT DESIGN www.grapefruitdesign.com
Current thread:
- AppSec FAQ at OWASP Sangita Pakala (Jan 28)
- <Possible follow-ups>
- RE: AppSec FAQ at OWASP Sangita Pakala (Jan 29)
- RE: AppSec FAQ at OWASP Ulf Härnhammar (Jan 29)
- Re: AppSec FAQ at OWASP オマル イスマイル (Jan 29)
- Re: AppSec FAQ at OWASP Laurian Gridinoc (Jan 30)