Re: CSS and PHP question

Steve Sobol Mon, 11 Mar 2002 18:43:55 -0800

At 03:17 AM 3/12/02 +1100, Nik Cubrilovic wrote:

>In short, no
>
>----------test.php---------
><? $test = "javascript:alert('hi')"; print "245118f3.jpg"; ?>
>---------end test.php-------
>
>will still execute the script on the client side. The function(s) do
>filter special characters, but do not fully prevent cross-site scripting.


How about additionally escaping the question mark by using &#63; ?


-- 
JustThe.net LLC - Steve "Web Dude" Sobol, CTO      ICQ: 56972932/WebDude216
website: http://JustThe.net  email: [EMAIL PROTECTED]  phone: 216.619.2NET
postal: 5686 Davis Drive, Mentor On The Lake, OH 44060-2752  DalNet: ZX-2

<<inline: 245118f3.jpg>>

Re: CSS and PHP question

Reply via email to