By conann on

got this from a fly by commenter probably says something like "All your base belong to us" but it does open an alert box. Should this be of concern or is it mostly harmless?

Subject: "">>

Comment: "">><<script>alert("не употребляйте наркотики....хотя")</script>
Categories: Drupal 5.x

Comments

conann’s picture

conann commented

Conánn

mooffie’s picture

mooffie commented

Should this be of concern or is it mostly harmless?

Yes, it's of concern, because it opens the door for XSS attacks.

Perhaps you give your users permission to use the "Full HTML" input format? You shouldn't, because this input format doesn't filter out nasty things.

If you think you have discovered some security breach in Drupal, dont discuss it here but use the http://drupal.org/contact form (the "Security issue" category).

sepeck’s picture

sepeck commented

Read this article on filters
http://www.lullabot.com/articles/drupal_input_formats_and_filters

-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide -|- Black Mountain

-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide