[drupal-devel] Question on valid_input_data()
K B
kbahey at gmail.com
Sun May 8 11:35:53 UTC 2005
On 5/8/05, puregin <puregin at puregin.org> wrote:
> Hi K B, yes, the style element can be used in attacks. If an
> attacker can
> place CSS on your page, arbitrary elements can be moved, or hidden;
> images can be replaced, or tiled to completely render the page
> useless; images can be used in information leak attempts and
> some browsers extend CSS to allow the execution of scripts.
Thanks.
It turned out that style is not the issue, but the on* javascript events.
More information about the drupal-devel
mailing list