* On Fri, Feb 20 2009, Merlyn Kline wrote: > One of the checks it does is basically this: > > telnet myserver 80 > GET <IMG%20SRC=\"javascript:alert(cross_site_scripting.nasl);\"> / > HTTP/1.1 > Host: myserver > > So the returned page includes their XSS test code in any https links because > I generated them from $c->req->uri_for()->as_string(), and so the security > test fails.
The issue is that you need to escape the HTML output, right? <IMG SRC="..."> should become, when linkified, <a href="<IMG SRC="..."">. If you do that, there's no security problem... although the link is useless (which may be a secondary issue to deal with). (If the security scanner complains about the escaped form, it's dumb. It's not a security problem.) Regards, Jonathan Rockway -- print just => another => perl => hacker => if $,=$" _______________________________________________ List: [email protected] Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
