Escape it: <form target="<% $r->uri |h %>">
http://masonhq.com/docs/manual/Devel.html#escaping_expressions Mark Elrod wrote: >I am trying to rid my site of potential XSS vulnerabilities. One that >I have found is that if I use $r->uri in my form targets it does not >filter out garbage after the filename: > >For example: > >Given this url: > >http://example.com/index.html/bogus_path/<xss>"><script>alert('XSS')</script>/ > ><form target="<% $r->uri %>"> > >would become: > ><form >target="http://example.com/index.html/bogus_path/<xss>"><script>alert('XSS')</script>/ >"> > >Any suggestions on how to avoid this? I tried looking into using the >component path but sometimes the form is generated in a subcomponent. > >------------------------------------------------------------------------- >This SF.Net email is sponsored by the Moblin Your Move Developer's challenge >Build the coolest Linux based applications with Moblin SDK & win great prizes >Grand prize is a trip for two to an Open Source event anywhere in the world >http://moblin-contest.org/redirect.php?banner_id=100&url=/ >_______________________________________________ >Mason-users mailing list >[email protected] >https://lists.sourceforge.net/lists/listinfo/mason-users > > ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Mason-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/mason-users
