Perl-Sensitive Sunglasses | |
PerlMonks |
comment on |
( [id://3333]=superdoc: print w/replies, xml ) | Need Help?? |
As i was looking for a nice BBCode2HTML converter i came across the following behavior of the Module which i think is a bug which could be exploited to insert JS.
[color=blue" onmouseover="this.innerHTML = 'XSS']test[/color] becomes <span style="color: blue" onmouseover="this.innerHTML = 'XSS'">test</span> I used the following script to test this behavior: If i made a mistake or there is a workaround other than disabling the color-tag (and maybe other tags, too), please let me know. Also i would like to hear other suggestions for BBCode2HTML converters (doesn't have to be exactly BBCode, could be something similar) that are known to be safe for public websites. In reply to XSS-Bug in HTML::BBCode by Taulmarill
|
|