[Owasp-antisamy] escaped tags goes thru without getting removed

Girish ivgirish at yahoo.com
Wed Apr 15 15:52:45 EDT 2009


yeah..good point...i know we can't take care of everything..but if we 
can remove obvious stuff like this one (i.e. js file in the image tag), 
then it reduces the risk by some %



Serge Droganov wrote:
> Hi there,
> How can you be sure I've not saved explosiveAtomBombe.js as 
> funnyBunny.jpg?
>
>  Leave this to browser programmers ;-)
>
> Thanks,
> Serge
>
> On Apr 15, 2009, at 11:27 PM, Girish wrote:
>
>> any idea how to remove this type of URLs ? does policy file need to 
>> be tuned ?
>>
>> <img src="http://aksdgjklasdjgkjasklgjkl.com/attack.js"/> 
>>
>> thanks,
>> Girish
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20090415/49b98f99/attachment.html 


More information about the Owasp-antisamy mailing list