- From: Tom Gilder <tom@tom.me.uk>
- Date: Mon, 30 Sep 2002 15:06:04 +0100
- To: www-validator@w3.org
Hello, there are multiple ways to insert HTML and scripting into the
validator...
* Simple querystring:
http://validator.w3.org/check?uri=http://<script>alert("boo")</script>
* Character encoding HTTP header:
Returning "Content-type: text/html; charset=<script>...</script>"
http://validator.w3.org/check?uri=http://tom.me.uk/2002/9/val.asp
* Server HTTP header - "Server: <script>...</script>"
* Content-length HTTP Header - "Content-length: <script>...</script>"
All of these should have the HTML escaped before outputting.
Cheers
--
Tom Gilder
http://tom.me.uk/
Received on Monday, 30 September 2002 10:13:41 UTC