Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq: Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability

Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability

From: Jon Ribbens <jon+bugtraq2_at_unequivocal.co.uk>
Date: Fri, 16 May 2008 10:44:15 +0100

On Wed, May 14, 2008 at 05:20:52PM -0000, Tom.Donovan_at_acm.org wrote:
> It appears there is little that web servers can do to thwart this,
> short of changing all '+' characters to %2B. That seems excessive.

To be fair, this is what Microsoft has recommended, explicitly for the
purpose of preventing XSS, for *at least* the last 6 years. The library
I use does indeed encode "+" as "+".
Received on May 16 2008

This message: [ Message body ]
Next message: Noah Meyerhans: "[SECURITY] [DSA 1576-2] New openssh packages fix predictable randomness"
Previous message: info: "Hack.lu 2008 CfP"
In reply to: Tom.Donovan_at_acm.org: "Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability"
Maybe reply: yos20053_at_gmail.com: "Re: Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]