[TYPO3-dev] Removing strip_tags dangerous?
Steffen Kamper
steffen at sk-typo3.de
Fri Oct 19 12:10:16 CEST 2007
> Doesn't help in this case, since the bad HTML is generated on the client
> side using specially encoded characters that don't look like HTML at all.
> As far as I understood the problem seems to be that there is no pattern
> one could search for to replace or remove the characters.
>
> The only appropriate solution seems to be a regular expression that will
> be applied after removeBadHTML.
>
> Other ideas?
>
> Joey
>
i checked it with one of this example, in alt tag:
<font face="xyz[0xC0]">buried</font><font face="abc onmouseover=alert()
s=[0xC0]">exploited</font>
the produced html is
alt="<font face="xyz[0xC0]">buried</font><font
face="abc onmouseover=alert()
s=[0xC0]">exploited</font>"so i don't see a vulnerable thing
her - it's never executed.vg Steffen
More information about the TYPO3-dev
mailing list