[drupal-devel] Question on valid_input_data()
kbahey at gmail.com
Sun May 8 03:41:17 UTC 2005
Actually, after some more tracing, the style element was the not the
culprit. It was the on[a-z]+ regexp. I think this filters the
If I have banners that rely on using onclick to redirect to an ad
serving page/script, and these are being blocked by Drupal, what can
be done about them?
On 5/7/05, K B <kbahey at gmail.com> wrote:
> In 4.6 includes/common.inc, in the function valid_input_data(), there
> is a check for various entities. Among these entities, there is a
> check for "style".
> I use the banner module with text ads, and I use things like:
> <div style="some-style-definitions">some text</div>
> This check causes the above to be flagged as a security breach attempt
> and is logged to the watchdog as such.
> My question is: Can the "style" element be used in malicious attacks?
> If yes, then how?
> Thanks in advance.
More information about the drupal-devel