|
|
| <prev next> |
Multiple cross-site-scripting bugs: msg#00109org.w3c.validator
Hello, there are multiple ways to insert HTML and scripting into the validator... * Simple querystring: http://validator.w3.org/check?uri=http://<script>alert("boo")</script> * Character encoding HTTP header: Returning "Content-type: text/html; charset=<script>...</script>" http://validator.w3.org/check?uri=http://tom.me.uk/2002/9/val.asp * Server HTTP header - "Server: <script>...</script>" * Content-length HTTP Header - "Content-length: <script>...</script>" All of these should have the HTML escaped before outputting. Cheers -- Tom Gilder http://tom.me.uk/ |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Small bug in Validator: 00109, Sébastien Aperghis-Tramoni |
|---|---|
| Previous by Thread: | Small bug in Validatori: 00109, Sébastien Aperghis-Tramoni |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |