[TYPO3-dev] Removing strip_tags dangerous?
JoH
info at cybercraft.de
Fri Oct 19 16:28:50 CEST 2007
> i checked it with one of this example, in alt tag:
> <font face="xyz[0xC0]">buried</font><font face="abc
> onmouseover=alert() s=[0xC0]">exploited</font>
>
> the produced html is
> alt="<font
> face="xyz[0xC0]">buried</font><font
> face="abc onmouseover=alert()
> s=[0xC0]">exploited</font>"so i don't see a vulnerable
> thing her - it's never executed.vg Steffen
And what does the browser show when you move the mouse over the image?
And which browser did you use for testing?
IE6 seems to be the major problem but others might be too depending on the
character set used.
The questions are:
What will happen after the [0xC0] when the browser is able to recognize the
character?
Will the content of the alt tag content somehow be editable by non admin
users or normal website users so that they could inject a character encoded
like that?
In both cases the example shown from Mr. Su might work in a specific
environment.
In any other case it wouldn't be too harmful since the admin can easily
access the BE without having to steal something ;-)
So should we ignore it?
Joey
More information about the TYPO3-dev
mailing list