Le 2010-05-06 à 7:24, Louis-David Mitterrand a écrit :
> Fortunately HTML::Scrubber allows denying specific attributes based on a
> regexp:
>
> 'href' => qr{^(?!(?:java)?script)}i,
> 'src' => qr{^(?!(?:java)?script)}i,
> etc.
That's full of holes. Use a whitelist, not a blacklist. For instance, it won't
catch this:
javascript:alert('XSS')
or this:
jav ascript:alert('XSS');
which will work, at least in some browsers!
Here's a good reference about javascript attacks (not all cases will apply to
you, but a good reference nonetheless):
<http://ha.ckers.org/xss.html>
--
Michel Fortin
[email protected]
http://michelf.com/
_______________________________________________
Markdown-Discuss mailing list
[email protected]
http://six.pairlist.net/mailman/listinfo/markdown-discuss
