PHWinfo - Afficher un message

01/05/2008, 13h11

Joost Diepenmaat:

> *If* that's true, then the input can be used as an XSS attack -
> they'll just have to lure some unsuspecting victim to the
> error/feedback page you created.

None of the returned values will ever be stored in a session (or make it
into the database), so I assume that hijacking and/or redirection will not
be an issue. Put another way around, if the attacker's browser will be the
only client to display rouge input, what's the harm to the rest of us?

Mike

01/05/2008, 13h11	#3
Michael Ruebner Messages: n/a Hébergeur:	Re: Form Reload with Tainted Values Joost Diepenmaat: > If that's true, then the input can be used as an XSS attack - > they'll just have to lure some unsuspecting victim to the > error/feedback page you created. None of the returned values will ever be stored in a session (or make it into the database), so I assume that hijacking and/or redirection will not be an issue. Put another way around, if the attacker's browser will be the only client to display rouge input, what's the harm to the rest of us? Mike