I'm getting the XSS warning when passing this parameter to any site where scripts are allowed:
q=%0A%26lt%3Bscript
For example:
http://www.kernel.org/?q=%0A%26lt%3Bscript
The parameter decodes as: [newline]<script
Is this a bug? How could that parameter be considered a XSS risk? (The initial newline seems to trigger it - without that it's not a problem.)
XSS warning - is this a bug?
-
obiwan
XSS warning - is this a bug?
Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0
Re: XSS warning - is this a bug?
I think newlines can be used to tamper with HTTP headers in some cases, so I doubt it's a bug. Giorgio would know more.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (Linux; U; Android 2.2.1; en-gb; GT-S5570 Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1