using markdown in a forum?

Louis-David Mitterrand vindex+lists-markdown-discuss at apartia.org
Thu May 6 08:25:54 EDT 2010

Previous message: using markdown in a forum?
Next message: using markdown in a forum?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, May 06, 2010 at 08:14:03AM -0400, Michel Fortin wrote:

> Le 2010-05-06 à 7:24, Louis-David Mitterrand a écrit :

>

> > Fortunately HTML::Scrubber allows denying specific attributes based on a

> > regexp:

> >

> > 'href' => qr{^(?!(?:java)?script)}i,

> > 'src' => qr{^(?!(?:java)?script)}i,

> > etc.

>

> That's full of holes. Use a whitelist, not a blacklist. For instance,

> it won't catch this:

I am using a whitelist, it was just an example.

> javascript:alert('XSS')

>

> or this:

>

> jav ascript:alert('XSS');

Good points.

Perl users might want to HTML::Entities::decode($html) before using
HTML::Scrubber

> which will work, at least in some browsers!

>

> Here's a good reference about javascript attacks (not all cases will apply to you, but a good reference nonetheless):

> <http://ha.ckers.org/xss.html>

Thanks,

Previous message: using markdown in a forum?
Next message: using markdown in a forum?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Markdown-Discuss mailing list