NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > WWW-Mobile-Code> 2002-q1

From: Steve Sobol (sjsobolJustThe.net)
Date: Mon Mar 11 2002 - 10:25:18 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 03:17 AM 3/12/02 +1100, Nik Cubrilovic wrote:

>In short, no
>
>----------test.php---------
><? $test = "javascript:alert('hi')"; print "245118f3.jpg"; ?>
>---------end test.php-------
>
>will still execute the script on the client side. The function(s) do
>filter special characters, but do not fully prevent cross-site scripting.

How about additionally escaping the question mark by using ? ?

-- JustThe.net LLC - Steve "Web Dude" Sobol, CTO ICQ: 56972932/WebDude216 website: http://JustThe.net email: sjsobol

JustThe.net phone: 216.619.2NET postal: 5686 Davis Drive, Mentor On The Lake, OH 44060-2752 DalNet: ZX-2

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]