Input Format
Using <embed> for XSS
Heine Fri, 2009/10/30 - 18:38
I see a lot less stray <script> tags in the "Allowed HTML tags:" of the HTML filter these days. The <embed> tag is something I still see a lot in misconfigured formats.
It's rather easy to exploit such formats to execute JavaScript with a little bit of ActionScript:
Input formats - the quickest way to make your site insecure
Heine Sun, 2007/12/30 - 23:15
In a desperate attempt to balance my karma at the end of the year, a small public service post about the most popular way to make your site insecure. This is aimed at website administrators and developers. There will be no code (promise).
