2009/2/27 The Editor <[email protected]>: > The only limitation is you can't get a line break in there (which > would break the markup). So probably not too much damage you could do > with CSS. But you're right. This shouldn't go in the core, but be a > plugin (solution). What is the worst you could do with this, given > there are no line breaks? > > Hmmm. I suppose someone could enter multiple lines like this in a > comment box, just for fun... > > [(style "--> </style><script>")] > [(style "....")] > [(style "</script><style><--")]
You can inject any javascript with that markup, for doing all kinds of damage if there is malicious intention. Or? ~Hans --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "BoltWire" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/boltwire?hl=en -~----------~----~----~----~------~----~------~--~---
