[UPHPU] Formbuilder Request for Feedback
Brandon Stout
bms at mscis.org
Thu Jun 14 12:25:34 MDT 2007
phpninja wrote:
> Found an XXS hole in testing a few things, you want to fix this before a
> full scale release
>
> http://formbuilder2.esourcehome.com/?module=forms&action=view&ID=%3Cscript%3Ealert(%22sux%20sux%22)%3C/script%3E<script>alert(document.cookie);</script
>
_Always_ check URLs in your code for valid entries. You don't want
people using SQL injection on a million-dollar database, or loading an
email form on a third party server via their URL injected into your URL
so they can spam 100,000 people as an authenticated user in your domain.
Can one underline, bold, and italicise in a plain text email? If so:
_*/always/*_ check...
Brandon Stout
http://mscis.org
More information about the UPHPU
mailing list