Menu
▾
▴
Re: [VuFind-Tech] xss vulnerabilities
|
From: Wayne G. <ws...@wm...> - 2007-08-23 15:35:32
|
Have you seen this? http://quickwired.com/smallprojects/php_xss_filter_function.php Haven't spent too much time with it, but on first glance, it looks relatively complete for stripping stuff out. Wayne Andrew Nagy wrote: > Thanks Rob for looking into this. I guess the best thing to do is to encode the input into html entities. > > I will play around with this. > > Andrew > >> -----Original Message----- >> From: vuf...@li... [mailto:vufind-tech- >> bo...@li...] On Behalf Of Casson, Robert D. >> Sent: Thursday, August 23, 2007 10:53 AM >> To: vuf...@li... >> Subject: [VuFind-Tech] xss vulnerabilities >> >> been throwing some XSS stuff at my own projects, and decided to throw >> one at vufind too. >> >> looks like it's vulnerable to at least some javascript injection: >> >> >> http://vufind.org/demo/Search/Home?lookfor=%3Cscript%3Ealert%28%27argh% >> 27%29%3B%3C%2Fscript%3E&type=all&submit=Find >> >> this is likely only on display, but i haven't looked closely yet; just >> an fyi, as this is something we're all having to deal with... >> >> rc >> >> ----------------------------------------------------------------------- >> -- >> This SF.net email is sponsored by: Splunk Inc. >> Still grepping through log files to find problems? Stop. >> Now Search log events and configuration files using AJAX and a browser. >> Download your FREE copy of Splunk now >> http://get.splunk.com/ >> _______________________________________________ >> Vufind-tech mailing list >> Vuf...@li... >> https://lists.sourceforge.net/lists/listinfo/vufind-tech > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Vufind-tech mailing list > Vuf...@li... > https://lists.sourceforge.net/lists/listinfo/vufind-tech -- /** * Wayne Graham * Earl Gregg Swem Library * PO Box 8794 * Williamsburg, VA 23188 * 757.221.3112 * http://swem.wm.edu/blogs/waynegraham/ */ |