|
List Info
Thread: xss vunerability in comment form
|
|
| xss vunerability in comment form |
|
2006-02-25 23:00:12 |
|
Guys,
I'm playing with a clean, default installation of Blojsom and I noticed I could post "<script>alert('yo');</script>" as the name in the comment form and it went through unescaped. I know comments can be moderated but is there a way to escape this text by default?
Thanks,
--Bill
|
| xss vunerability in comment form |
|
2006-02-26 03:14:43 |
|
Hi Bill,
David's response to a similar question I asked to him was http://wiki.blojsom.com/wiki/display/blojsom/XSS+Filter+Plugin
I found a similar issue in Roller and Pebble, the authors don't see it as a problem due to moderation capability..
Maybe people will see it as a bigger threat when a real attack is happening with virus-like spreading capability.
It's easy enough to deface a site or generate a loop that slows down a site with javascript.
Cheers,
Cliff.
On 2/26/06, Bill Lynch <gmail.com">
billjive gmail.com> wrote:Guys,
I'm playing with a clean, default installation of Blojsom and I noticed I could post "<script>alert('yo');</script>" as the name in the comment form and it went through unescaped. I know comments can be moderated but is there a way to escape this text by default?
Thanks,
--Bill
|
| xss vunerability in comment form |
|
2006-02-27 17:06:08 |
|
I just put code in there to do that. Thanks.
On 2/25/06 6:00 PM, "Bill Lynch"; <billjivegmail.com> wrote:
Guys,
I'm playing with a clean, default installation of Blojsom and I noticed I could post "<script>alert('yo');</script>" as the name in the comment form and it went through unescaped. I know comments can be moderated but is there a way to escape this text by default?
Thanks,
--Bill
--
David Czarnecki
http://www.blojsom.com/blog/ | http://blojsom.sf.net
|
[1-3]
|
|
|
about | contact Other archives ( Real Estate discussion Medical topics )
|