Hi,
I was wondering today about the following possibility to declare functions in html:
both versions of the link are really scary... (tested in chrome).
So in server generated code even here HTMLEncoding must be considered to prevent XSS-attacks.
kind regards,
Daniel
I was wondering today about the following possibility to declare functions in html:
<html><body>
<div id="divid">content</div>
<a href="#" onClick="document.getElementById('divid'). setAttribute('style', 'font-weight: bold; color: red; font-size:150%;');" >attack 1</a> <a href="#" onClick="
var x = function() {
document.getElementById('divid').setAttribute('style', 'font-weight: bold; color: red; font-size:150%;');
};
x();
" >attack 2</a></body>
</html>
both versions of the link are really scary... (tested in chrome).
So in server generated code even here HTMLEncoding must be considered to prevent XSS-attacks.
kind regards,
Daniel
No comments:
Post a Comment