[owasp-antisamy] Issue with parsing tags containing null bytes
Krpata, Tyler
tkrpata at constantcontact.com
Fri Dec 9 10:18:48 EST 2011
IE will interpret <%00script> as a valid script tag and execute javascript. I will file a bug.
From: Arshan Dabirsiaghi <arshan.dabirsiaghi at aspectsecurity.com<mailto:arshan.dabirsiaghi at aspectsecurity.com>>
Date: Fri, 9 Dec 2011 00:02:13 -0500
To: Tyler Krpata <tkrpata at constantcontact.com<mailto:tkrpata at constantcontact.com>>, "owasp-antisamy at lists.owasp.org<mailto:owasp-antisamy at lists.owasp.org>" <owasp-antisamy at lists.owasp.org<mailto:owasp-antisamy at lists.owasp.org>>
Subject: RE: [owasp-antisamy] Issue with parsing tags containing null bytes
How is a URL-encoded null byte dangerous? What is your input and output? If you think something is a bug, please fill out a bug report at [0].
Arshan
P.S. http://code.google.com/p/owaspantisamy/issues/list
From: owasp-antisamy-bounces at lists.owasp.org<mailto:owasp-antisamy-bounces at lists.owasp.org> [mailto:owasp-antisamy-bounces at lists.owasp.org] On Behalf Of Krpata, Tyler
Sent: Thursday, December 08, 2011 5:42 PM
To: owasp-antisamy at lists.owasp.org<mailto:owasp-antisamy at lists.owasp.org>
Subject: [owasp-antisamy] Issue with parsing tags containing null bytes
Hi all,
Has anyone come across the behavior where Java Antisamy does not correctly parse tags that contain a url-encoded null byte at the beginning of the tag? For example <%00script>
Thanks,
Tyler
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20111209/5a0b5693/attachment.html
More information about the Owasp-antisamy
mailing list