google-code-export / owaspantisamy

Automatically exported from code.google.com/p/owaspantisamy
1 stars 1 forks source link

Tags embedded in PHP blocks not removed #145

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Even with a strict policy file that removes all tags, the following gets 
through:

<?php
$name = $_GET['name'];
echo "Welcome $name<br>";
echo "<a href="http://xssattackexamples.com/">Click to Download</a>";
?>

Original issue reported on code.google.com by r...@hasselbaum.net on 12 Dec 2012 at 8:14

GoogleCodeExporter commented 9 years ago
Just to clarify, it's the <a> tag that doesn't get removed. (I wouldn't expect 
the PHP block as a whole to get removed.)

This is reproducible in release 1.4.4.

Original comment by r...@hasselbaum.net on 14 Dec 2012 at 2:44