On Aug 1, 2006, at 2:17 PM, Eric Farraro wrote:
> > To focus my question a little further, I pointed out that in the > Sanitize->html function, a simple find and replace was done on certain > characters. My (very basic) understanding of XSS attacks is that they > will often evade filters by using certain characters that can be > expressed with patterns not caught by the filter, but when rendered, > are considered the same. Do you have a few examples of these characters? The OWASP articles[1] I referenced when creating Sanitize only mentioned watching out for < and >. If you know of some more characters that it should watch out for, let's gather them up and get it fixed. -- John [1] http://www.owasp.org/index.php/XSS http://www.owasp.org/index.php/XSS_Attacks --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php -~----------~----~----~----~------~----~------~--~---
