J u a n wrote:
> On 3/3/06, Alexander Hristov <joffer@gmail.com> wrote:
>> Just tested : http://ws.arin.net/whois/?queryinput=%3CIMG+SRC%3D%22
>> javascript%3Aalert%28%27XSS%27%29%3B%22%3E
>> it still works for me
> works for me on internet explorer, didn't work with firefox 1.5
is an IE and Opera feature, not firefox
test your own http://www_ush_it/team/ascii/img_src_test.html
http://ws.arin.net/whois/?queryinput=%3Cscript%3Ealert('xss')%3C/script%3E
this is universal
htmlentities or whitelist prce match are the correct way to handle xss
$queryinput = 'www_ush_it';
if (!preg_match('|^[a-z0-9\.]{1,255}$|', $queryinput)) exit();