Re: HTMLEncode

[RSnake <rsnake () shocking com>]

It totally depends on the application.  If the application is asking you
to input the name of a remote image, then no, HtmlEncode will have no
bearing on this.  IE:

if user input = "javascript:('XSS')"
and you print <IMG SRC=$userinput>


You still have Cross site scripting in any example like that and with a
multitude of different HTML tags.  If you haven't already check out my
cheetsheet:  http://www.shocking.com/~rsnake/xss.html

However, to answer your question if you are JUST entering raw
charachters, you should be fine.  I just worry when people think tiny
tools like that are a panacea.

On Fri, 7 Jan 2005, Alfred Hitchcock wrote:

> Hello everybody,
> Could anybody tell me how you can bypass Server.HtmlEncode as it only checks for 4 characters. i.e. &,<,>,".
> So is there any other way of bypassing HtmlEncode which can further lead to XSS

-R

The information in this email is confidential and may be legally
privileged.  It is intended solely for the addressee.  Access to
this email by anyone else is unauthorized.  If you are not the
intended recipient, any disclosure, copying, distribution or any
action taken or omitted to be taken in reliance on it is 
expressly prohibited and may be unlawful.