|
|
|
|
|
|
by Xk
5288 days ago
|
|
|
There is an XSS on pen.io. I posted this a while ago, but feint didn't fix it. http://xssdemo.pen.io Suggestion: It is very hard to allow HTML but remove JavaScript. Write a method called something like isJSPresent() and then after you've done your filtering, check if JavaScript is on the page. If it is, return a HTML-encoded version of the page. Then, the security of your page will rely only on the correctness of that single method, and not on the correctness of your rewriter (which is much more complex). |
|
|