using markdown in a forum?

Michel Fortin michel.fortin at michelf.com
Thu May 6 08:14:03 EDT 2010

Previous message: using markdown in a forum?
Next message: using markdown in a forum?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Le 2010-05-06 à 7:24, Louis-David Mitterrand a écrit :

> Fortunately HTML::Scrubber allows denying specific attributes based on a

> regexp:

>

> 'href' => qr{^(?!(?:java)?script)}i,

> 'src' => qr{^(?!(?:java)?script)}i,

> etc.

That's full of holes. Use a whitelist, not a blacklist. For instance, it won't catch this:

javascript:alert('XSS')

or this:

jav ascript:alert('XSS');

which will work, at least in some browsers!

Here's a good reference about javascript attacks (not all cases will apply to you, but a good reference nonetheless):
<http://ha.ckers.org/xss.html>

--
Michel Fortin
michel.fortin at michelf.com
http://michelf.com/

Previous message: using markdown in a forum?
Next message: using markdown in a forum?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Markdown-Discuss mailing list