[typo] XSS vulnerability?

Micah Wylde wyldeone at gmail.com
Sat Nov 26 19:48:08 EST 2005


Both the blog at rubyonrails.org and the one at typogarden.org are also
vulnerable to this (though their text filters also translate quotation marks
into html entities.)

On 11/26/05, Kevin Ballard <kevin at sb.org> wrote:
>
> I just ran `rake' on my trunk and got no failures at all. And yet the
> example XSS mostly works for me (it doesn't actually display an alert
> because my textfilter translates " into an entity, but that can be
> worked around).
>
> On Nov 26, 2005, at 8:45 AM, Scott Laird wrote:
>
> > Argh!  It's supposed to be filtered.  What happens when you run
> > 'rake'?  There's are several XSS-related tests, do any tests fail?
>
> --
> Kevin Ballard
> kevin at sb.org
> http://www.tildesoft.com
> http://kevin.sb.org
>
>
>
> _______________________________________________
> Typo-list mailing list
> Typo-list at rubyforge.org
> http://rubyforge.org/mailman/listinfo/typo-list
>
>
>
>


--
Micah Wylde
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://rubyforge.org/pipermail/typo-list/attachments/20051126/41bd44c7/attachment.htm


More information about the Typo-list mailing list