Re: cross site scripting security issue headsup
At 05:32 PM 02/02/00 -0700, Marc Slemko wrote: I thought about not putting the mod_perl specific one in there at all (ie. just the CGI.pm one, BTW about the CGI.pm example: use CGI (); $Text = "foobbar"; $URL = "foobbar.html"; print CGI::escapeHTML($Text), "BR"; Sorry for being off topic, but FYI from Bugtraq about Oct 5, 1999 titled "Time to update those CGIs again": "Seems that at least some Unix versions of Netscape treat characters 0x8b and 0x9b (NOT the strings "0x8b" and "0x9b" but the characters with these ascii values) just like and respectively..." I never tested it, but others on Bugtraq did confirm the problem on unix versions of Netscape. Bill Moseley mailto:[EMAIL PROTECTED]
Re: cross site scripting security issue headsup
On Wed, 2 Feb 2000, Marc Slemko wrote: http://www.apache.org/info/css-security/ http://www.cert.org/advisories/CA-2000-02.html I think I have found a little typo/oversight in the mod_perl example on http://www.apache.org/info/css-security/encoding_examples.html It uses escape_html rather then escape_uri on the href line, here is a tiny patch. Cheers, - Sander van Zoest [EMAIL PROTECTED] High Geek(858) 623-7442 MP3.com, Inc. http://www.mp3.com/ See you at ApacheCon 2000 - Your premiere Music Service Provider (MSP) diff -C3 -r1.4 encoding_examples.html *** encoding_examples.html 2000/02/02 19:26:03 1.4 --- encoding_examples.html 2000/02/03 00:23:54 *** *** 139,145 $Text = "foolt;bgt;bar"; $URL = "foolt;bgt;bar.html"; $r-gt;print(Apache::Util::escape_html($Text), "lt;BRgt;"); ! $r-gt;print("lt;A HREF=\"", Apache::Util::escape_html($URL), "\"gt;linklt;/Agt;"); /PRE PThis uses the same functions as in the Apache Module Example, called --- 139,145 $Text = "foolt;bgt;bar"; $URL = "foolt;bgt;bar.html"; $r-gt;print(Apache::Util::escape_html($Text), "lt;BRgt;"); ! $r-gt;print("lt;A HREF=\"", Apache::Util::escape_uri($URL), "\"gt;linklt;/Agt;"); /PRE PThis uses the same functions as in the Apache Module Example, called
Re: cross site scripting security issue headsup
Doh, thanks, fixed. I thought about not putting the mod_perl specific one in there at all (ie. just the CGI.pm one, and I had removed it, so the error probably came about when I put it back in), but figured I should include it for some reason. Don't know what that reason is. Oh well. On Wed, 2 Feb 2000, Sander van Zoest wrote: On Wed, 2 Feb 2000, Marc Slemko wrote: http://www.apache.org/info/css-security/ http://www.cert.org/advisories/CA-2000-02.html I think I have found a little typo/oversight in the mod_perl example on http://www.apache.org/info/css-security/encoding_examples.html It uses escape_html rather then escape_uri on the href line, here is a tiny patch. Cheers, - Sander van Zoest [EMAIL PROTECTED] High Geek(858) 623-7442 MP3.com, Inc. http://www.mp3.com/ See you at ApacheCon 2000 - Your premiere Music Service Provider (MSP)