[typo] XSS vulnerability?

Rob Sanheim rsanheim at gmail.com
Mon Dec 5 14:47:27 EST 2005


On 11/26/05, Micah Wylde <wyldeone at gmail.com> wrote:
> Both the blog at rubyonrails.org and the one at typogarden.org are also
> vulnerable to this (though their text filters also translate quotation marks
> into html entities.)
>
>
> On 11/26/05, Kevin Ballard <kevin at sb.org> wrote:
> >
> > I just ran `rake' on my trunk and got no failures at all. And yet the
> > example XSS mostly works for me (it doesn't actually display an alert
> > because my textfilter translates " into an entity, but that can be
> > worked around).
> >
> > On Nov 26, 2005, at 8:45 AM, Scott Laird wrote:
> >
> > > Argh!  It's supposed to be filtered.  What happens when you run
> > > 'rake'?  There's are several XSS-related tests, do any tests fail?
> >
> > --
> > Kevin Ballard
> > kevin at sb.org
> > http://www.tildesoft.com
> > http://kevin.sb.org
> >
> >
> >
> > _______________________________________________
> > Typo-list mailing list
> > Typo-list at rubyforge.org
> > http://rubyforge.org/mailman/listinfo/typo-list
> >
> >
> >
> >
>
>
>
> --
> Micah Wylde
> _______________________________________________
> Typo-list mailing list
> Typo-list at rubyforge.org
> http://rubyforge.org/mailman/listinfo/typo-list
>
>
>

Was there ever a resolution to this?
- rob
--
http://www.robsanheim.com/
http://www.ajaxian.com/



More information about the Typo-list mailing list