|
<BASE HREF="javascript:alert('XSS');//"> is returned instead of being removed February 16, 2012 11:47AM |
Registered: 1 year ago Posts: 2 |
Hi,
I am using CKeditor (http://ckeditor.com/) and HTML Purifier in my site. After the setup, I had been performing some random checking with the XSS code being available in the smoke test.
By entering the following into the editor: < BASE HREF="javascript:alert('XSS');//" >
The editor return the following text which was safely passing the HTML Purifier checking: < BASE HREF="javascript:alert('XSS');//" > (please add ; followed by both < and > as end result as I am unable to display the actual HTML coding without being converted into < and > respectively in this forum)
HTML Purifier doesn't clean the script because the < and > had been changed to < and > (again, pls add in ; for both).
I would like to ensure that the HTML Purifier will remove the entire script. How could i go around with it?
Please advise. Thanks in advanced!
|
Re: <BASE HREF="javascript:alert('XSS');//"> is returned instead of being removed February 16, 2012 12:06PM |
Admin Registered: 6 years ago Posts: 2,632 |
|
Re: <BASE HREF="javascript:alert('XSS');//"> is returned instead of being removed February 16, 2012 09:58PM |
Registered: 1 year ago Posts: 2 |