You are not logged in. Please login or register.
PHP Labware forum → htmLawed → Sanitization test failing
Hello,
When i test the following URL in the test online link( http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawedTest.php ), it fails:
http://example.com/text.php?&t=%3Cscript%3Ealert(%27check%27);%3C/script%3E
Please let me know a suitable reason and a way to fix it.
This URL is the format in which i am getting the hits and the page is not responding. I have tried HTML Tidy, Purifier to no avail.
Thanks,
When you say 'it fails,' what exactly do you mean?
The URL you provide seems to be harmless (with or without htmLawed processing). E.g., the URL below is of the same form.
http://www.bioinformatics.org/phplabware/forum/viewtopic.php?id=%3Cscript%3Ealert(%27check%27);%3C/script%3E
If I browse to this URL by putting it in the browser's address/location bar, or by clicking the link below, I do not see any vulnerability. The cross-site scripting (XSS) code in the URL (<script>alert...</script>) does not execute (in Firefox 21 or IE 10 or Chrome 28 on Windows 7).
http://www.bioinformatics.org/phplabwar … /script%3E
I see the same with other URLs of the same form, like http://cnn.com/index.php?&t=%3Cscript%3Ealert(%27check%27);%3C/script%3E.
Yes, it does not throw an alert.
But, the page times out. That should not happen, i think.
The ideal scenario would be either of the following:
1. Discard the input and throw an error message.
2. Use the sanitized input and action accordingly.
If you try to open the two example links you gave in your reply, you would see that they time out. That is not the expected behavior of correct input handling.
On my computer, opening the links by clicking on them or directly browsing to the addresses does not cause a time-out.
--
Can you provide a bit more detail about the scenario for which you are using htmLawed? I assume users input some text in a textarea, and htmLawed is then used to filter the input text. You want to make sure that htmLawed cleans the URLs of the type you mention, otherwise a visitor might click on the link and see a time-out issue. Is this correct?
PHP Labware forum → htmLawed → Sanitization test failing