Le 2010-05-06 à 7:24, Louis-David Mitterrand a écrit : > Fortunately HTML::Scrubber allows denying specific attributes based on a > regexp: > > 'href' => qr{^(?!(?:java)?script)}i, > 'src' => qr{^(?!(?:java)?script)}i, > etc.
That's full of holes. Use a whitelist, not a blacklist. For instance, it won't catch this: javascript:alert('XSS') or this: jav ascript:alert('XSS'); which will work, at least in some browsers! Here's a good reference about javascript attacks (not all cases will apply to you, but a good reference nonetheless): <http://ha.ckers.org/xss.html> -- Michel Fortin michel.for...@michelf.com http://michelf.com/ _______________________________________________ Markdown-Discuss mailing list Markdown-Discuss@six.pairlist.net http://six.pairlist.net/mailman/listinfo/markdown-discuss