Search the Community
Showing results for tags 'XSS'.
The search index is currently processing. Current results may not be complete.
Is there a way to prevent that a malicious person crafts a piece of code that changes the value of an action attribute? Like when you have this line of html: <form method="post" name="register" action="<?php echo $_SERVER['PHP_SELF']; ?>"> but the attacker places the entire script on his own server. Is this XSS? What are the consequences of gaining/finding protected data? If this kind of attack is possible, can someone show with an example how this is done?
In my webpage, I am going allow clients (X)HTML. To avoid XSS, I will use HTML Purifier, and disable the <script> tag (and some other dangerous tags). Yet I would like to enable designers of those (X)HTML to use certain programming-like features, for example displaying a list of items, which would need a for-loop. Then I came up with the idea that : users submit the XSL code, I provide the XML with the data required by the users. As HTML Purifier cannot sanitise XSL code (can it?), my proposed flow would be: [*]User submits a piece of XSL code.[*]In the server, there are som
CMS/Forum Session/cookie management and security, picking a good example. I am starting an opensource GPL forum project primarily for the sake of learning. I have been looking at the different implementations for user authentication and session management of different CMS and forum packages.Trying to go through and learn what is being done. Also wondering which makes for the best example of a good clean way to implement it.I would prefer to store the bare minimum cookies client side and keep most data in session variables server side.Unless there is a good reason to have another cookie or two,