|Syntactic Confectionery Delight|
XSS-Bug in HTML::BBCodeby Taulmarill (Deacon)
|on Aug 14, 2007 at 13:28 UTC ( #632482=perlquestion: print w/replies, xml )||Need Help??|
Taulmarill has asked for the wisdom of the Perl Monks concerning the following question:
As i was looking for a nice BBCode2HTML converter i came across the following behavior of the Module which i think is a bug which could be exploited to insert JS.
[color=blue" onmouseover="this.innerHTML = 'XSS']test[/color]
<span style="color: blue" onmouseover="this.innerHTML = 'XSS'">test</span>
I used the following script to test this behavior:
If i made a mistake or there is a workaround other than disabling the color-tag (and maybe other tags, too), please let me know. Also i would like to hear other suggestions for BBCode2HTML converters (doesn't have to be exactly BBCode, could be something similar) that are known to be safe for public websites.
Back to Seekers of Perl Wisdom