[VIM] OpenEdit XSS vendor dispute
Steven M. Christey
coley at linus.mitre.org
Wed Dec 28 00:16:10 UTC 2005
On Tue, 27 Dec 2005, Sullo wrote:
> This sounds to me like a developer that doesn't get XSS. He seems to be
> thinking in terms of supplying an invalid *number* to the "page"
> variable, rather than supplying some arbitrary text.
He doesn't understand XSS that much, but he finds enough real issues...
I bet what happened is that he sent "<script>" to the page, and the page
generated an error because it's not a number, and that resulted in an
error message that didn't quote the resulting HTML.
Near as I can tell, PHP itself doesn't quote an error message before
returning it to the user. If it doesn't, it should, but I don't have PHP
so I can't prove this.
More information about the VIM