#9 more XSS bugs

open
nobody
None
5
2005-04-23
2005-04-23
No

I looked at the HTML stripper, and to be secure I think
you should also strip the elements <style>, <frame> and
<link> as well as the attribute "background".

There are also more intrinsic events that you don't
check for, such as onDblClick and whatever they're
called. Check W3C's HTML specification for details.

// Ulf Härnhammar

Discussion

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks