Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability
From: Jon Ribbens <jon+bugtraq2 () unequivocal co uk>
Date: Fri, 16 May 2008 10:44:15 +0100

On Wed, May 14, 2008 at 05:20:52PM -0000, Tom.Donovan () acm org wrote:
It appears there is little that web servers can do to thwart this,
short of changing all '+' characters to %2B.  That seems excessive.

To be fair, this is what Microsoft has recommended, explicitly for the
purpose of preventing XSS, for *at least* the last 6 years. The library
I use does indeed encode "+" as "&#43;".

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]