If changing all user input "<" to < before rendering in HTML, can I say it's completely safe now?

Cenzic 232 Patent

Paid Advertising

sla.ckers.org is
ha.ckers sla.cking

Q and A for any cross site scripting information. Feel free to ask away.

Go to Topic: Previous•Next

Go to: Forum List•Message List•New Topic•Search•Log In

If changing all user input "<" to < before rendering in HTML, can I say it's completely safe now?

Posted by: zhangxiao

Date: June 22, 2011 06:48AM

If changing all user input "<" to < before rendering in HTML, can I say it's completely safe now?

Options: Reply•Quote

Re: If changing all user input "<" to < before rendering in HTML, can I say it's completely safe now?

Posted by: Albino

Date: June 22, 2011 10:18AM

Nope, it may be very easy to exploit depending on where you render the input. See http://ha.ckers.org/xss.html

Options: Reply•Quote

Re: If changing all user input "<" to < before rendering in HTML, can I say it's completely safe now?

Posted by: vinazn

Date: January 04, 2012 08:23PM

No. You have to consider that the attacker can be use something like that to inject javascript when some data of a get or a post data is used to set a url.
e.g. <a href="http://sample.com/?var=(RECEIVE DATA)">
If the attacker inject something like that: " onmouseover="alert(1)" bad=,
he can run javascript on your website.

Options: Reply•Quote

Go to: Forum List•Message List•Search•Log In

Sorry, only registered users may post in this forum.

Click here to login