Welcome Guest, Not a member yet? Register   Sign In
XSS replaces in the documentation
#11

(02-12-2018, 07:21 AM)Elias Wrote:
(02-12-2018, 06:24 AM)Narf Wrote: Not a bug.

Why? Tags like <b> or <a> not replaces... What's a normal input string for xss_clean() ?

Thanks for answers Smile

Anything that has an 'src' attribute can link external resources and trigger their execution, and thus - XSS.

Bold doesn't have the 'src' attribute and cannot do anything potentially dangerous.
Anchor doesn't have the 'src' attribute, but can be altered or replaced in certain cases.

I don't know what you mean by a "normal input string" ... there's no such thing. The function is made to strip or defuse potentially dangerous tags and attributes, and that's what it does.
Reply
#12

(This post was last modified: 02-15-2018, 08:05 AM by Elias.)

(02-14-2018, 11:28 AM)Narf Wrote: Anything that has an 'src' attribute can link external resources and trigger their execution, and thus - XSS.

Ok, string

Code:
<video src="https://www.w3schools.com/html/mov_bbb.mp4"></video>
has src and xss_clean() replaces HTML characters.

Is this the right behavior?

P.S: I'm not saying how you should make the framework, I just try to understand what I'm doing wrong.
Reply
#13

(02-15-2018, 08:01 AM)Elias Wrote:
Code:
<video src="https://www.w3schools.com/html/mov_bbb.mp4"></video>
has src and xss_clean() replaces HTML characters.

Is this the right behavior?

Yes, that's what this means:

(02-14-2018, 11:28 AM)Narf Wrote: Anything that has an 'src' attribute can link external resources and trigger their execution, and thus - XSS.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB