On Thu, 27 Apr 2000, Matt Sergeant wrote: > Unfortunately there's also a browser bug to contend with. They treat \x8b > (I think that's the right code) as < and there's a similar code for > >. Since most web developers are just doing s/</</g; they are open to > attacks based on character sets like this. Sad, but true. Even our loved > CGI.pm was (is?) open to this bug - I think Lincoln has fixed the > HTMLEncode function now though. Mmm? Which browsers? Do they have to be configured for any particular character set? And can you provide an example that demonstrates it? I can't reproduce it...
- Re: Security in displaying arbitrary HTML Marc Slemko
- Re: Security in displaying arbitrary HTML Steven Champeon
- Re: Security in displaying arbitrary HT... Vivek Khera
- Re: Security in displaying arbitra... Steven Champeon
- Re: Security in displaying arbitra... Marc Slemko
- Re: Security in displaying arbitra... Matt Sergeant
- Re: Security in displaying arb... Dirk Lutzebaeck
- Re: Security in displaying arb... Dirk Lutzebaeck
- RE: Security in displaying arb... Gerald Richter
- RE: Security in displaying arb... Matt Sergeant
- Re: Security in displaying arb... Marc Slemko
- Re: Security in displaying arb... Matt Sergeant
- Re: Security in displaying arb... Gunther Birznieks
- Re: Security in displaying arbitrary HTML John M Vinopal
- Re: Security in displaying arbitrary HTML Jeffrey W. Baker
- RE: Security in displaying arbitrary HTML Leon Brocard
