Heine

  • Home
  • Drupal
  • About
Home

Input Format

Using <embed> for XSS

Heine —Fri, 2009/10/30 - 18:38

I see a lot less stray <script> tags in the "Allowed HTML tags:" of the HTML filter these days. The <embed> tag is something I still see a lot in misconfigured formats.

It's rather easy to exploit such formats to execute JavaScript with a little bit of ActionScript:

  • Drupal
  • Security
  • Planet Drupal
  • Input Format
  • Read more about Using for XSS
  • 1 comment

Input formats - the quickest way to make your site insecure

Heine —Sun, 2007/12/30 - 23:15

In a desperate attempt to balance my karma at the end of the year, a small public service post about the most popular way to make your site insecure. This is aimed at website administrators and developers. There will be no code (promise).

  • Drupal
  • Security
  • Planet Drupal
  • Input Format
  • Read more about Input formats - the quickest way to make your site insecure
  • 14 comments
Subscribe to Input Format

Recent posts

  • Other vectors for SA-CORE-2014-005?
  • Lazy loading: hook_hook_info is for hook owners only.
  • "Always offline" problem in EA's Origin due to antivirus
  • From bug to exploit - Bakery SSO
  • Solving getting bogus dates via MSSQL_QUERY
more

Security reviews

I provide security reviews of custom code, contributed modules, themes and entire sites via LimoenGroen.

Contact us for a quote.

Follow @ustima

Copyright © 2021 by Heine Deelstra. All rights reserved.

  • Home
  • Drupal
  • About