Re: Feedback: WW-2414, XSS attack is possible if using and

Jeromy Evans Wed, 16 Jan 2008 00:36:09 -0800

Antonio Petrelli wrote:

2008/1/16, Jeromy Evans <[EMAIL PROTECTED]>:

<a href="javascript:alert('1&2>3='+(1&2>3));">Link A</a>


HTML escaped is not equivalent:
<a href="javascript:alert('1&amp;2&gt;3='+(1&amp;2&gt3));">Link B</a>




You forgot a semicolon. The correct link is:
<a href="javascript:alert('1&amp;2&gt;3='+(1&amp;2&gt;3));">Link B</a>
And it *is* equivalent.

Antonio

Ah, my bad.  Okay, I'm convinced. :-)

On that basis, the anchor tag just needs ?html added to the href attribute:
From:
<#if parameters.href?if_exists != "">
href="${parameters.href}"<#rt/>
</#if>
To:
<#if parameters.href?if_exists != "">
href="${parameters.href?html}"<#rt/>
</#if>


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Feedback: WW-2414, XSS attack is possible if using and

Reply via email to