InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

XSS warning - is this a bug?

https://forums.informaction.com/viewtopic.php?t=7150

Page 1 of 1

XSS warning - is this a bug?

Posted: Sun Sep 04, 2011 7:09 am
by obiwan
I'm getting the XSS warning when passing this parameter to any site where scripts are allowed:

q=%0A%26lt%3Bscript

For example:
http://www.kernel.org/?q=%0A%26lt%3Bscript

The parameter decodes as: [newline]<script

Is this a bug? How could that parameter be considered a XSS risk? (The initial newline seems to trigger it - without that it's not a problem.)

Re: XSS warning - is this a bug?

Posted: Wed May 30, 2012 11:09 am
by Thrawn
I think newlines can be used to tamper with HTTP headers in some cases, so I doubt it's a bug. Giorgio would know more.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited