Re: [mod-security-users] locations in windows, XSS
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] locations in windows, XSS
|
From: Ivan R. <iv...@we...> - 2004-06-28 09:14:28
|
Daniel Guido wrote: > i have a very simple php script that has guestbook-like functionality. > it also has no input sanitation. therefore, i'd like to use one of > those XSS regex's provided to check for XSS exploits in ONLY that one > script being that I use things like javascript elsewhere on my server. > here is what i used. it doesn't prevent me from putting javascript into > the input fields, submitting it over POST, and then having it display on > the page. > > SecFilterEngine DynamicOnly Make sure you've configured PHP properly to do this. If you are not sure, use "On" for the time being. Upgrade to "DynamicOnly" afterwards. > <Location "C:\Apache2\users\www\feedback.php"> > SecFilterSelective ARGS "<[[:space:]]*script" > </Location> The <Location directives are not correctly configured. You probably want to use just <Location "/feedback.php"> ... </Location> -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |
