[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [PATCH] Fix XSS vulnerabilites in madison.php

Hi Chris,

On Monday 12 May 2008 14:28, Chris Lamb wrote:
> I have attached a patch that fixes some cross-site scripting vulnerabilites
> in http://qa.debian.org/madison.php.

Good work. Since the page is in UTF-8, it's better to use htmlspecialchars() 
than htmlentities(), because the latter tends to cause trouble with multibyte 
chars and there's no need to encode more entities than htmlspecialchars does 
if the charset is UTF-8.

I also don't think these are really "vulnerabilities" since there's no 
sensitive data to steal through this cross site scripting, as far as I know. 
But of course, still, output should be properly encoded.


Attachment: pgpUg44qeuPHg.pgp
Description: PGP signature

Reply to: