some code that will be displayed on your site (and consequently
assumed to come from you by your users). Comments on blogs are an
example. If I drop a SCRIPT tag into a blog comment that launches a
popup window to porn site X, that's an example of XSS.
So I submit "<script>window.open('http://www.google.com')</script>' as
a comment. Next time someone views the page, a window will pop up,
because that string was insert into the body of the page with all the
other comments. Running it through HTMLEditFormat(), however, would
yield this string
"<script>window.open('http://www.google.com')</script>"
which, when inserted into the body of the comments page, will render
as the text I submitted. No more unauthorized popup.
It gets trickier if you want to allow some HTML (like B, I, U, A and
IMG) tags, but nothing else.
cheers,
barneyb
On Wed, 18 Aug 2004 20:07:24 -0400, CF Coder2
<[EMAIL PROTECTED]> wrote:
> Thanks Matt and the others!
> This was helpful.
>
> I'm not sure what the point of wrapping vars in HTMLEditFormat. The Ref Man is almost useless in stating it's value...returns an HTML-escaped string...so? Why does that help. I'll have to think on that.
>
> I'll have to read up on XSS though. Haven't a clue what that is.
>
>
--
Barney Boisvert
[EMAIL PROTECTED]
360.319.6145
http://www.barneyb.com
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
