oops - bad me - that was supposed to be action in the example not target. On Wed, Sep 10, 2008 at 4:13 PM, Anthony Ettinger <[EMAIL PROTECTED]> wrote: > "target=" isn't a valid attribute for <form> tag...and making the > "action" attribute a url with GET parameters is a bad idea. > > > > On Wed, Sep 10, 2008 at 2:11 PM, Mark Elrod <[EMAIL PROTECTED]> wrote: >> I am trying to rid my site of potential XSS vulnerabilities. One that >> I have found is that if I use $r->uri in my form targets it does not >> filter out garbage after the filename: >> >> For example: >> >> Given this url: >> >> http://example.com/index.html/bogus_path/<xss>"><script>alert('XSS')</script>/ >> >> <form target="<% $r->uri %>"> >> >> would become: >> >> <form >> target="http://example.com/index.html/bogus_path/<xss>"><script>alert('XSS')</script>/ >> "> >> >> Any suggestions on how to avoid this? I tried looking into using the >> component path but sometimes the form is generated in a subcomponent. >> >> ------------------------------------------------------------------------- >> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge >> Build the coolest Linux based applications with Moblin SDK & win great prizes >> Grand prize is a trip for two to an Open Source event anywhere in the world >> http://moblin-contest.org/redirect.php?banner_id=100&url=/ >> _______________________________________________ >> Mason-users mailing list >> Mason-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/mason-users >> > > > > -- > Anthony Ettinger > 408-656-2473 > http://anthony.ettinger.name >
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Mason-users mailing list Mason-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mason-users
