lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <008901c24b95$54e06e80$e62d1c41@kc.rr.com> From: mattmurphy at kc.rr.com (Matthew Murphy) Subject: phpReactor - Cross-Site Scripting via STYLE phpReactor has recently been updated to eliminate several known cross-site scripting vulnerabilities. Among these changes was to reduce the tags allowed in posts, profiles, etc. down to B, I, and FONT. However, using the "STYLE" attribute, one can still defeat this: <b style="expression(alert(document.cookie))"> This won't work on all browsers (IE runs it, though) "The reason the mainstream is thought of as a stream is because it is so shallow." - Author Unknown
Powered by blists - more mailing lists