|
Slacker007 wrote: I feel that spammer alerts need their own home/forum
So I am just repeating your idea. That saying about 'Great Minds think alike' would be apt here, if it wasn't for the fact you were the other person that thought it.
|
|
|
|
|
Ᵽompey wrote: f it wasn't for the fact you were the other person that thought it.
I think a lot of us here have thought the same thing.
-----------------------------
Just along for the ride.
-----------------------------
|
|
|
|
|
|
Deleted the message, as I can.
Member reported, let the Hammies do the rest.
Panic, Chaos, Destruction. My work here is done.
Drink. Get drunk. Fall over - P O'H
OK, I will win to day or my name isn't Ethel Crudacre! - DD Ethel Crudacre
I cannot live by bread alone. Bacon and ketchup are needed as well. - Trollslayer
Have a bit more patience with newbies. Of course some of them act dumb - they're often *students*, for heaven's sake - Terry Pratchett
|
|
|
|
|
|
Comment on the article not here.
The author can fix it.
I think Nish is right, my bad.
There is no direct risk in this article, but it is something that admin should maybe look at.
Panic, Chaos, Destruction. My work here is done.
Drink. Get drunk. Fall over - P O'H
OK, I will win to day or my name isn't Ethel Crudacre! - DD Ethel Crudacre
I cannot live by bread alone. Bacon and ketchup are needed as well. - Trollslayer
Have a bit more patience with newbies. Of course some of them act dumb - they're often *students*, for heaven's sake - Terry Pratchett
modified on Thursday, June 30, 2011 7:25 AM
|
|
|
|
|
author can fix... but is a bug....and codeproject, need fix it
|
|
|
|
|
Nagy Vilmos wrote: Comment on the article not here. The author can fix it.
The OP's referring to potential XSS attacks on CP! Although I am not sure it's that bad here, just need to filter some tags out of the subject-header.
|
|
|
|
|
Okay, my bad.
Panic, Chaos, Destruction. My work here is done.
Drink. Get drunk. Fall over - P O'H
OK, I will win to day or my name isn't Ethel Crudacre! - DD Ethel Crudacre
I cannot live by bread alone. Bacon and ketchup are needed as well. - Trollslayer
Have a bit more patience with newbies. Of course some of them act dumb - they're often *students*, for heaven's sake - Terry Pratchett
|
|
|
|
|
1. I can't find any reference containing XSS in the link you posted
2. This 'article' is six years old.
The best things in life are not things.
|
|
|
|
|
|
Yeah, good catch. I've 5d all 3 of your posts to make up for the other 2 responses you got
|
|
|
|
|
Richard MacCutchan wrote: 1. I can't find any reference containing XSS in the link you posted 2. This
'article' is six years old.
The OP's referring to how the subject line renders the HTML INPUT control instead of showing the text. I am not sure this is a path to an XSS attack but it's a good idea to filter it out.
|
|
|
|
|
Nishant Sivakumar wrote: The OP's referring ...
Badly!
The best things in life are not things.
|
|
|
|
|
Richard MacCutchan wrote: Badly!
He's from Spain based on his profile and is probably not very comfortable in English. Still it was rather obvious what he was talking about. So I am kinda surprised Nagy and you could get interpret it so totally wrong.
|
|
|
|
|
you are right , im spanish, and my english .... is very bad
|
|
|
|
|
The original statement reads the user put input in description and appears... one input... is a XSS ... fix please
Sorry, but even accepting that OP's first language is not English I could not see what the message was trying to say. However, I guess that's just another fail on my part, so I'll move on.
The best things in life are not things.
|
|
|
|
|
Richard MacCutchan wrote: The original statement reads the user put input in description and appears...
one input... is a XSS ... fix please
Well, that's what a telegram would have looked like 50 years ago. I don't get why Nagy and you did not understand him, it seems so obvious to me. Maybe I'm just good at this stuff
|
|
|
|
|
Nishant Sivakumar wrote: Maybe I'm just good at this stuff
One point in my favor is that I am a little more used to non-native English (than most people), so maybe that helps.
|
|
|
|
|
Nishant Sivakumar wrote: I don't get why Nagy and you did not understand him, it seems so obvious to me.
OK let's break it down:
1. the user put input in description : the problem description contains the word 'input' ?
2. and appears... : and appears what ?
3. one input... : ??
4. is a XSS ... : ?? or is this part of 3, in either case I don't see what it is supposed to mean
5. fix please : that I do understand
I am still not convinced it has anything to do with the OP's use of English, more the over liberal ellipses. I spent the last 15 years of my working life supporting users across Europe, Africa, the Middle East and India, so am fairly comfortable with non-English speakers.
The best things in life are not things.
|
|
|
|
|
Richard MacCutchan wrote: 1. the user put input in description : the problem description contains the word
'input' ?
The article description contains the text "input". Maybe it's because you are not a regular author, but as someone who has written quite a few articles here, I am quite conscious of how an article has a title and a description. And considering his thread subject mentions XSS, I automatically assumed (rightly so) that input referred to the html tag.
Richard MacCutchan wrote: 2. and appears... : and appears what ?
He means that the INPUT control renders (or appears on screen). Again from (1) I already know he's talking about the INPUT-tag so I know that when he says appears, he means the control appears within the description.
Richard MacCutchan wrote: 3. one input... : ??
One INPUT-control appears (is rendered). he's re-stressing on how the control is showing up (when it shouldn't).
Richard MacCutchan wrote: 4. is a XSS ... : ?? or is this part of 3, in either case I don't see what it is
supposed to mean
What he means is that this is XSS in action here. No actual script in the example but it's trivial to add inline script to one of the control's events.
Richard MacCutchan wrote: 5. fix please : that I do understand
Wow, ok, I am surprised!
Once again I am not saying you or Nagy were being naive here, just that I was surprised at how something that was so obvious to me was so cryptic to you guys (and I know both of you are smart people).
Maybe I am just that good.
|
|
|
|
|
Nishant Sivakumar wrote: Maybe I am just that good.
Probably true ... I know I'm not.
The best things in life are not things.
|
|
|
|
|
i dont try, use alert('hello')</scrip> in subject but, if <input> work... I guess not check some html tags
|
|
|
|
|
soupuse that...
onfocus...
|
|
|
|
|
Yeah, there are potential risks there. Anyway Chris has fixed it, he loves fixing bugs before he had his morning coffee!
|
|
|
|