Welcome Guest, Not a member yet? Register   Sign In
XSS replaces in the documentation
#11

(02-12-2018, 07:21 AM)Elias Wrote:
(02-12-2018, 06:24 AM)Narf Wrote: Not a bug.

Why? Tags like <b> or <a> not replaces... What's a normal input string for xss_clean() ?

Thanks for answers Smile

Anything that has an 'src' attribute can link external resources and trigger their execution, and thus - XSS.

Bold doesn't have the 'src' attribute and cannot do anything potentially dangerous.
Anchor doesn't have the 'src' attribute, but can be altered or replaced in certain cases.

I don't know what you mean by a "normal input string" ... there's no such thing. The function is made to strip or defuse potentially dangerous tags and attributes, and that's what it does.
Reply


Messages In This Thread
XSS replaces in the documentation - by Elias - 02-02-2018, 11:57 AM
RE: XSS replaces in the documentation - by Elias - 02-10-2018, 12:46 PM
RE: XSS replaces in the documentation - by falko - 02-10-2018, 11:23 PM
RE: XSS replaces in the documentation - by PaulD - 02-11-2018, 04:08 AM
RE: XSS replaces in the documentation - by Elias - 02-11-2018, 09:57 AM
RE: XSS replaces in the documentation - by PaulD - 02-11-2018, 11:15 AM
RE: XSS replaces in the documentation - by Narf - 02-12-2018, 06:24 AM
RE: XSS replaces in the documentation - by Elias - 02-12-2018, 07:21 AM
RE: XSS replaces in the documentation - by Narf - 02-14-2018, 11:28 AM
RE: XSS replaces in the documentation - by Elias - 02-15-2018, 08:01 AM
RE: XSS replaces in the documentation - by Narf - 02-22-2018, 01:31 AM



Theme © iAndrew 2016 - Forum software by © MyBB