urosm
/
ikiwiki
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

security issues

master
Joey Hess 2007-11-12 14:14:00 -05:00
parent c8bf872775
commit d9e9e474a8
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
doc/todo/__42__forward__42__ing_functionality_for_the_meta_plugin.mdwn
View File

@ -24,3 +24,12 @@ I can also submit a Git patch, if desired.
--[[tschwinge]] --[[tschwinge]]
> The html scrubber cannot scrub meta headers. So if you emit one
> containing user-supplied data, it's up to you to scrub it to avoid all
> possible XSS attacks. Two attacks I'd worry about are cyclic meta refresh
> loops, which some, but not all web browsers detect and break, and any way
> to insert javascript via the user-supplied parameters. (Ie, putting
> something in the delay value that closes the tag can probably insert
> javascript ATM; and are there ways to embed javascript in the url?)
> --[[Joey]]