On Thu, May 06, 2010 at 08:14:03AM -0400, Michel Fortin wrote:
> Le 2010-05-06 à 7:24, Louis-David Mitterrand a écrit :
>
> > Fortunately HTML::Scrubber allows denying specific attributes based on a
> > regexp:
> >
> > 'href' => qr{^(?!(?:java)?script)}i,
> > 'src' => qr{^(?!(?:java)?script)}i,
> > etc.
>
> That's full of holes. Use a whitelist, not a blacklist. For instance,
> it won't catch this:
I am using a whitelist, it was just an example.
>
> javascript:alert('XSS')
>
> or this:
>
> jav ascript:alert('XSS');
Good points.
Perl users might want to HTML::Entities::decode($html) before using
HTML::Scrubber
> which will work, at least in some browsers!
>
> Here's a good reference about javascript attacks (not all cases will apply to
> you, but a good reference nonetheless):
> <http://ha.ckers.org/xss.html>
Thanks,
_______________________________________________
Markdown-Discuss mailing list
Markdown-Discuss@six.pairlist.net
http://six.pairlist.net/mailman/listinfo/markdown-discuss
