[thelist] What to watch for when you allow external text to be included in your page?
Alliax
damiencola at wanadoo.fr
Wed Nov 28 17:05:17 CST 2001
Hello,
I'd like to know what to watch for when I will make an external input part of my
html page ?
My situation is that I dynamically generate an IMG tag with PHP,
the SRC and ALT attributes are filled with data from a database
So I would like to know what to watch for before entering the data in the
database.
(I am thinking of some sort of server include, althought I don't know well the
syntax used for them, but surely others know and could try)
for exemple, would something like this be a threat (assume I know nothing of the
syntax) ?
<IMG SRC=http://www.server.com/image.gif
ALT="<!exec='/erase -everything -onServer'>" width="80">
What can you think of?
Thank you.
More information about the thelist
mailing list