WebApp Sec mailing list archives
Re: HTMLEncode
From: RSnake <rsnake () shocking com>
Date: Fri, 7 Jan 2005 14:40:47 -0800 (PST)
It totally depends on the application. If the application is asking you to input the name of a remote image, then no, HtmlEncode will have no bearing on this. IE: if user input = "javascript:('XSS')" and you print <IMG SRC=$userinput> You still have Cross site scripting in any example like that and with a multitude of different HTML tags. If you haven't already check out my cheetsheet: http://www.shocking.com/~rsnake/xss.html However, to answer your question if you are JUST entering raw charachters, you should be fine. I just worry when people think tiny tools like that are a panacea. On Fri, 7 Jan 2005, Alfred Hitchcock wrote:
Hello everybody, Could anybody tell me how you can bypass Server.HtmlEncode as it only checks for 4 characters. i.e. &,<,>,". So is there any other way of bypassing HtmlEncode which can further lead to XSS
-R The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or anyaction taken or omitted to be taken in reliance on it is expressly prohibited and may be unlawful.
Current thread:
- HTMLEncode Alfred Hitchcock (Jan 07)
- Re: HTMLEncode RSnake (Jan 08)