[pmwiki-users] Security Update for Fox and FoxForum
Hans
design5 at softflow.co.uk
Sat Dec 1 09:46:31 CST 2007
Saturday, December 1, 2007, 2:09:04 PM, Hans wrote:
> I added the filter htmlspecialchars.
> Wthout this I could inject javascript code on my local machine with a
> post. This did not happen on my hosting server, so I do not know the
> extent of the danger for javascript injection attacks.
Maybe someone who knows about this better can advise me:
For testing the javascript injection vulnerability I posted
<script>alert('xss');</script>
On my local machine this produced an alert window to pop up.
Now I see that this only happened because I was using a Debug mode,
which uses 'echo' statements to show me various variable values.
Without any 'echo' I don't get an alert box in this test.
Now I do not know if this makes the vulnerability any less severe, or
even if it does not exist in this case. Please advise me if you know!
~Hans
More information about the pmwiki-users
mailing list