Why is "Full HTML" Input Format Dangerous?
10.13.2008
This is a comment I submitted on my localhost site, with full HTML allowed for anonymous users. The fact that "XSS" came up in an alert means I'm vulnerable to attack.
If you want your skin to crawl more, visit the XSS Cheatsheet, which offers a number of techniques for XSS attacks. If you're ever in doubt, no better test than to attempt to hack yourself.
| Attachment | Size |
|---|---|
| xss.gif | 8.39 KB |
Syndicate
Head Drupal Chef at:
Recent comments
- Wouldn't it be good if when
43 sec ago - That captcha is a stupid
1 min 46 sec ago - think it should
3 min 4 sec ago - dhthtd
5 min 14 sec ago - dhthtd
5 min 16 sec ago - Also, I'd highly recommend
7 min 2 sec ago - Thanks for the post. Helped
8 min 57 sec ago - Theoretically, it shouldn't
10 min 58 sec ago - This attitude always reveals
44 min 54 sec ago - veryt nice work... thanks
11 hours 24 min ago
Comments
buy wow gold cheap wow power
buy wow gold
cheap wow power leveling
my wow gold
cheapest wow power leveling
BUY wow gold
cheap wow power leveling
CHEAP rs gold
good wow power leveling
MY lotro gold
CHEAPEST aion gold
buy wow gold
cheap wow gold
CHEAPEST wow gold
alert("you've been
alert("you've been hacked")
--
hmm - didnt work :(
heh, won't comment on whether
heh, won't comment on whether it would have worked last time I audited this site's security.
haha :)
haha :)
Hi, scary isnt it? This is a
Hi, scary isnt it? This is a common problem and it usually happens to people who are uninformed. I think that MySpace got hacked like this. I sat through a seminar once and this was one of the topics on the agenda.
You can do SQL injection this too cant you?
anyway... cheerio - Im out to check how secure my sites are. ;)
Post new comment