Re: cross site scripting security issue headsup
At 05:32 PM 02/02/00 -0700, Marc Slemko wrote: >I thought about not putting the mod_perl specific one in there at all (ie. >just the CGI.pm one, BTW about the CGI.pm example: use CGI (); $Text = "foobar"; $URL = "foobar.html"; print CGI::escapeHTML($Text), ""; Sorry for being off topic, but FYI from Bugtraq about Oct 5, 1999 titled "Time to update those CGIs again": "Seems that at least some Unix versions of Netscape treat characters 0x8b and 0x9b (NOT the strings "0x8b" and "0x9b" but the characters with these ascii values) just like < and > respectively..." I never tested it, but others on Bugtraq did confirm the problem on unix versions of Netscape. Bill Moseley mailto:[EMAIL PROTECTED]
Re: cross site scripting security issue headsup
Doh, thanks, fixed. I thought about not putting the mod_perl specific one in there at all (ie. just the CGI.pm one, and I had removed it, so the error probably came about when I put it back in), but figured I should include it for some reason. Don't know what that reason is. Oh well. On Wed, 2 Feb 2000, Sander van Zoest wrote: > On Wed, 2 Feb 2000, Marc Slemko wrote: > > > http://www.apache.org/info/css-security/ > > http://www.cert.org/advisories/CA-2000-02.html > > I think I have found a little typo/oversight in the mod_perl example on > http://www.apache.org/info/css-security/encoding_examples.html > > It uses escape_html rather then escape_uri on the href line, here is > a tiny patch. > > Cheers, > > - > Sander van Zoest [EMAIL PROTECTED] > High Geek(858) 623-7442 > MP3.com, Inc. http://www.mp3.com/ > See you at ApacheCon 2000 - Your premiere Music Service Provider (MSP) >
Re: cross site scripting security issue headsup
On Wed, 2 Feb 2000, Marc Slemko wrote: > http://www.apache.org/info/css-security/ > http://www.cert.org/advisories/CA-2000-02.html I think I have found a little typo/oversight in the mod_perl example on http://www.apache.org/info/css-security/encoding_examples.html It uses escape_html rather then escape_uri on the href line, here is a tiny patch. Cheers, - Sander van Zoest [EMAIL PROTECTED] High Geek(858) 623-7442 MP3.com, Inc. http://www.mp3.com/ See you at ApacheCon 2000 - Your premiere Music Service Provider (MSP) diff -C3 -r1.4 encoding_examples.html *** encoding_examples.html 2000/02/02 19:26:03 1.4 --- encoding_examples.html 2000/02/03 00:23:54 *** *** 139,145 $Text = "foobar"; $URL = "foobar.html"; $r->print(Apache::Util::escape_html($Text), "
"); ! $r->print("link"); This uses the same functions as in the Apache Module Example, called --- 139,145 $Text = "foobar"; $URL = "foobar.html"; $r->print(Apache::Util::escape_html($Text), "
"); ! $r->print("link"); This uses the same functions as in the Apache Module Example, called