Matt Sergeant writes:
Unfortunately there's also a browser bug to contend with. They treat \x8b
(I think that's the right code) as and there's a similar code for
. Since most web developers are just doing s//lt;/g; they are open to
attacks based on character sets like this. Sad, but
Jeremy Howard wrote:
I'm interested in providing 'HTML email' support for my users
(like HotMail, Outlook Express, Eudora 4.0, etc provide), but
I'm very nervous about security. Essentially, providing HTML
email involves letting any arbitrary HTML get displayed by Apache...
I've been
Matt Sergeant writes:
Unfortunately there's also a browser bug to contend with. They treat \x8b
(I think that's the right code) as and there's a similar code for
. Since most web developers are just doing s//lt;/g; they are open to
attacks based on character sets like this. Sad, but
Gerald, what about Embperl, does it escape \x8b?
No, there is no html escape for \x8b (and I guess the other one Matt
mentioned is \0x8d for ) I know, so Embperl will not escape it, but this
could be simply change by an entry in epchar.c. Any suggestion to what this
should be escaped? Then I
On Fri, 28 Apr 2000, Gerald Richter wrote:
Gerald, what about Embperl, does it escape \x8b?
No, there is no html escape for \x8b (and I guess the other one Matt
mentioned is \0x8d for ) I know, so Embperl will not escape it, but this
could be simply change by an entry in epchar.c. Any
On Thu, 27 Apr 2000, Matt Sergeant wrote:
Unfortunately there's also a browser bug to contend with. They treat \x8b
(I think that's the right code) as and there's a similar code for
. Since most web developers are just doing s//lt;/g; they are open to
attacks based on character sets like
On Fri, 28 Apr 2000, Marc Slemko wrote:
On Thu, 27 Apr 2000, Matt Sergeant wrote:
Unfortunately there's also a browser bug to contend with. They treat \x8b
(I think that's the right code) as and there's a similar code for
. Since most web developers are just doing s//lt;/g; they are
At 10:25 AM 4/28/00 +0100, Matt Sergeant wrote:
On Fri, 28 Apr 2000, Marc Slemko wrote:
On Thu, 27 Apr 2000, Matt Sergeant wrote:
Unfortunately there's also a browser bug to contend with. They treat \x8b
(I think that's the right code) as and there's a similar code for
. Since most
I'm interested in providing 'HTML email' support for my users (like HotMail, Outlook
Express, Eudora 4.0, etc provide), but I'm very nervous about security. Essentially,
providing HTML email involves letting any arbitrary HTML get displayed by Apache...
Has anyone done this, or can anyone
On Thu, 27 Apr 2000, Jeremy Howard wrote:
I'm interested in providing 'HTML email' support for my users (like
HotMail, Outlook Express, Eudora 4.0, etc provide), but I'm very
nervous about security. Essentially, providing HTML email involves
letting any arbitrary HTML get displayed by
On Thu, 27 Apr 2000, Marc Slemko wrote:
Cookies are not secure and will never be secure. They may be "good
enough", and you may not have much choice, but they are still simply not
secure when you put everything together.
Can you be more specific about why you say that? If I set an
On Thu, 27 Apr 2000, Nick Tonkin wrote:
On Thu, 27 Apr 2000, Marc Slemko wrote:
Cookies are not secure and will never be secure. They may be "good
enough", and you may not have much choice, but they are still simply not
secure when you put everything together.
Can you be more
On Thu, 27 Apr 2000, Marc Slemko wrote:
Can you be more specific about why you say that? If I set an encrypted,
short-lived cookie upon validated authentication, why is that any less
secure than any of the other approaches you mentioned?
It isn't necessarily any "less secure", but you
"SC" == Steven Champeon [EMAIL PROTECTED] writes:
SC developers and designers) for Webmonkey:
SC http://hotwired.lycos.com/webmonkey/00/18/index3a.html
SC If you want to see what sort of stuff the XSS problem opens you up for,
SC just try appending ?tw=scriptalert("aha!");/script to the URL
On Thu, 27 Apr 2000, Vivek Khera wrote:
Why on earth would you take user input and output it verbatim to your
pages? Rule number 1 of developing a web site is to never trust the
user's input values. *Always* validate it against what you're
expecting.
I guess someone had better tell the
On Thu, 27 Apr 2000, Vivek Khera wrote:
"SC" == Steven Champeon [EMAIL PROTECTED] writes:
SC developers and designers) for Webmonkey:
SC http://hotwired.lycos.com/webmonkey/00/18/index3a.html
SC If you want to see what sort of stuff the XSS problem opens you up for,
SC just try
On Thu, 27 Apr 2000, Vivek Khera wrote:
"SC" == Steven Champeon [EMAIL PROTECTED] writes:
SC developers and designers) for Webmonkey:
SC http://hotwired.lycos.com/webmonkey/00/18/index3a.html
SC If you want to see what sort of stuff the XSS problem opens you up for,
SC just try
I am a bad hacker and watching your line. I see cookies A and B go to you.
I set cookies A and B in my web browser. I am now you. You can try to
permute the cookies with IP# (breaks on proxies) or Browser type, but all
cookie based approaches believe in the value of something sent cleartext.
On Thu, 27 Apr 2000, John M Vinopal wrote:
I am a bad hacker and watching your line. I see cookies A and B go to you.
I set cookies A and B in my web browser. I am now you. You can try to
permute the cookies with IP# (breaks on proxies) or Browser type, but all
cookie based approaches
19 matches
Mail list logo
