Posted by Chung Leong on 12/17/05 21:25

Method 1: Use "javascript:" in URLs.

Example: <img src="javascript: [do stuff here] ">

IE will blissfully execute the line.

Method 2: Put Javascript into handlers.

Example: <img onerror=" [do stuff here] " src="bobo.gif">

Method 3: Insert <script> in between letters of "script".

Example: <scr<script>ipt> .... </sc<script>ript>

After your code removes the bogus script tags, the ones that does
the real damage will reform.


Allowing users to inject HTML into your pages is asking for trouble.
Even if you managed to filter out all Javascript, there are still
plenty of other tricks that can be played: inner frames, base tags, CSS
positioning, ActiveX controls, etc..

Just make sure plain text fields are always passed through
htmlspecialchars() before output, then you're safe.

• Next in forum: Re: PHP and Dropdowns
• Prev in forum: Re: Sessions are driving me to insanity
• Thread view: Re: XSS: Ways to disguise JavaScript tags?

[Reply to this message]