• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
XSS replaces in the documentation

#11
(02-12-2018, 07:21 AM)Elias Wrote:
(02-12-2018, 06:24 AM)Narf Wrote: Not a bug.

Why? Tags like <b> or <a> not replaces... What's a normal input string for xss_clean() ?

Thanks for answers Smile

Anything that has an 'src' attribute can link external resources and trigger their execution, and thus - XSS.

Bold doesn't have the 'src' attribute and cannot do anything potentially dangerous.
Anchor doesn't have the 'src' attribute, but can be altered or replaced in certain cases.

I don't know what you mean by a "normal input string" ... there's no such thing. The function is made to strip or defuse potentially dangerous tags and attributes, and that's what it does.
Reply

#12
(02-14-2018, 11:28 AM)Narf Wrote: Anything that has an 'src' attribute can link external resources and trigger their execution, and thus - XSS.

Ok, string

Code:
<video src="https://www.w3schools.com/html/mov_bbb.mp4"></video>
has src and xss_clean() replaces HTML characters.

Is this the right behavior?

P.S: I'm not saying how you should make the framework, I just try to understand what I'm doing wrong.
Reply

#13
(02-15-2018, 08:01 AM)Elias Wrote:
Code:
<video src="https://www.w3schools.com/html/mov_bbb.mp4"></video>
has src and xss_clean() replaces HTML characters.

Is this the right behavior?

Yes, that's what this means:

(02-14-2018, 11:28 AM)Narf Wrote: Anything that has an 'src' attribute can link external resources and trigger their execution, and thus - XSS.
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.