[VIM] OpenEdit XSS vendor dispute

Steven M. Christey coley at linus.mitre.org
Wed Dec 28 00:16:10 UTC 2005


On Tue, 27 Dec 2005, Sullo wrote:

> This sounds to me like a developer that doesn't get XSS. He seems to be
> thinking in terms of supplying an invalid *number* to the "page"
> variable, rather than supplying some arbitrary text.

He doesn't understand XSS that much, but he finds enough real issues...

I bet what happened is that he sent "<script>" to the page, and the page
generated an error because it's not a number, and that resulted in an
error message that didn't quote the resulting HTML.

Near as I can tell, PHP itself doesn't quote an error message before
returning it to the user.  If it doesn't, it should, but I don't have PHP
so I can't prove this.

- Steve


More information about the VIM mailing list