[TYPO3-dev] Removing strip_tags dangerous?

[JoH]

> i checked it with one of this example, in alt tag:
> <font face="xyz[0xC0]">buried</font><font face="abc
> onmouseover=alert() s=[0xC0]">exploited</font>
>
> the produced html is
> alt="&lt;font
> face=&quot;xyz[0xC0]&quot;&gt;buried&lt;/font&gt;&lt;font
> face=&quot;abc onmouseover=alert()
> s=[0xC0]&quot;&gt;exploited&lt;/font&gt;"so i don't see a vulnerable
> thing her - it's never executed.vg  Steffen

And what does the browser show when you move the mouse over the image?
And which browser did you use for testing?
IE6 seems to be the major problem but others might be too depending on the 
character set used.

The questions are:
What will happen after the [0xC0] when the browser is able to recognize the 
character?
Will the content of the alt tag content somehow be editable by non admin 
users or normal website users so that they could inject a character encoded 
like that?
In both cases the example shown from Mr. Su might work in a specific 
environment.
In any other case it wouldn't be too harmful since the admin can easily 
access the BE without having to steal something ;-)

So should we ignore it?

Joey