[Owasp-antisamy] escaped tags goes thru without getting removed

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Wed Apr 15 18:06:05 EDT 2009


Sorry to be blunt but the request is a bit nonsensical. Even if that  
evil file was JavaScript it wouldn't execute.

You can only invoke JS in an img tag using event handlers and by  
invoking a non-HTTP protocol handler in the src attribute.

Arshan



On Apr 15, 2009, at 3:53 PM, "Girish" <ivgirish at yahoo.com> wrote:

> yeah..good point...i know we can't take care of everything..but if  
> we can remove obvious stuff like this one (i.e. js file in the image  
> tag), then it reduces the risk by some %
>
>
>
> Serge Droganov wrote:
>>
>> Hi there,
>> How can you be sure I've not saved explosiveAtomBombe.js as  
>> funnyBunny.jpg?
>>
>>  Leave this to browser programmers ;-)
>>
>> Thanks,
>> Serge
>>
>> On Apr 15, 2009, at 11:27 PM, Girish wrote:
>>
>>> any idea how to remove this type of URLs ? does policy file need  
>>> to be tuned ?
>>>
>>> <img src="http://aksdgjklasdjgkjasklgjkl.com/attack.js"/>
>>>
>>> thanks,
>>> Girish
>>
>>
>> _______________________________________________
>> Owasp-antisamy mailing list
>> Owasp-antisamy at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>>
>
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20090415/ade1d1da/attachment.html 


More information about the Owasp-antisamy mailing list