[drupal-devel] Question on valid_input_data()

K B kbahey at gmail.com
Sun May 8 11:35:53 UTC 2005

On 5/8/05, puregin <puregin at puregin.org> wrote:
>      Hi K B, yes, the style element can be used in attacks.  If an
> attacker can
> place CSS on your page, arbitrary elements can be moved, or hidden;
> images can be replaced, or tiled to completely render the page
> useless; images can be used in information leak attempts and
> some browsers extend CSS to allow the execution of scripts.


It turned out that style is not the issue, but the on* javascript events.

More information about the drupal-devel mailing list