RSS Forums RSS
Please support our DaniWeb Community Feedback advertiser: Programming Forums

Message preview seems to allow unfiltered markup... XSS?

Join Date: Jul 2006
Location: Deptford, London
Posts: 989
Reputation: MattEvans has a spectacular aura about MattEvans has a spectacular aura about MattEvans has a spectacular aura about 
Rep Power: 6
Solved Threads: 52
Moderator
Featured Poster
MattEvans's Avatar
MattEvans MattEvans is offline Offline
Posting Shark

Message preview seems to allow unfiltered markup... XSS?

  #1  
Jul 26th, 2007
<iframe src="http://fusiongroups.net/test.html" />

I noticed this a while back... it seems that any html in the first part of the body of a message gets interpreted in that little preview box that shows the first part of a thread when you mouse over the title in a forum view... is this known about/considered a problem? If my suspicions are correct; mousing over this thread's title on the daniweb community board listing page title will execute some javascript from another server in a child context of a daniweb page = not good.
Plato forgot the nullahedron..
AddThis Social Bookmark Button
Reply With Quote  
Forums | Blogs | Tutorials | Code Snippets | Whitepapers | RSS Feeds | Advertising
All times are GMT -4. The time now is 5:12 am.
Newsletter Archive - Sitemap - Privacy Statement - Acceptable Use Policy - Contact Us
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2008 DaniWeb® LLC