Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#9 more XSS bugs

open
nobody
None
5
2005-04-23
2005-04-23
Ulf Harnhammar
No

I looked at the HTML stripper, and to be secure I think
you should also strip the elements <style>, <frame> and
<link> as well as the attribute "background".

There are also more intrinsic events that you don't
check for, such as onDblClick and whatever they're
called. Check W3C's HTML specification for details.

// Ulf Härnhammar

Discussion