Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability

From: Jon Ribbens <jon+bugtraq2@unequivocal.co.uk>
To: bugtraq@securityfocus.com
Cc:
Subject: Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability
Date:


On Wed, May 14, 2008 at 05:20:52PM -0000, Tom.Donovan@acm.org wrote:
> It appears there is little that web servers can do to thwart this,
> short of changing all '+' characters to %2B.  That seems excessive.

To be fair, this is what Microsoft has recommended, explicitly for the
purpose of preventing XSS, for *at least* the last 6 years. The library
I use does indeed encode "+" as "&#43;".





Copyright © 1995-2019 LinuxRocket.net. All rights reserved.