I am trying to rid my site of potential XSS vulnerabilities. One that I have found is that if I use $r->uri in my form targets it does not filter out garbage after the filename:
For example: Given this url: http://example.com/index.html/bogus_path/<xss>"><script>alert('XSS')</script>/ <form target="<% $r->uri %>"> would become: <form target="http://example.com/index.html/bogus_path/<xss>"><script>alert('XSS')</script>/ "> Any suggestions on how to avoid this? I tried looking into using the component path but sometimes the form is generated in a subcomponent. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Mason-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/mason-users
