[eluser]mic[/eluser]
Hi,
I have recently built an app which i had checkout by a peneration testing company. They come back with some interesting results which included serveral things I had to fix (some XSS, CRSF changes generally).
How ever one of the XSS attacks they had managed was completed through a textfield which was validated and has been xss cleaned. When i tested this locally it does everything as expected and the [removed] tags are present in the text, but they reported being able to add a
Code:
[removed]alert("Hi");[removed]
to it.
Would it be possible to use a non standard charset that would allow the user to potentially input a string like this and successfully get it past the xss_clean function?
Thanks mic
EDIT: lol the [removed] tags in the code snippit above are supposed to be script tags.
