search for: htmlspecialchar

The recent htmlentities/htmlspecialchars bug was affecting all versions of PHP older than 5.2.0. With that in mind, I was just wondering if there is any timeframe to release a fix in centosplus repository for PHP5 package? I've noticed that Red Hat released fixed PHP5 packages for RHEL4 last week (php-5.1.4-1.el4s1.5). --...

Hello, I've failed latest PCI scan because of CVE-2009-0796. Centos 6.7. The Red Hat Security Response Team has rated this issue as having moderate security impact and bug as wontfix. Explanation: The vulnerability affects non default configuration of Apache HTTP web server, i.e cases, when access to Apache::Status and Apache2::Status resources is explicitly allowed via <Location

...: contains '"><script>alert('xss')</script>' That's your problem; they're flagging you for an XSS "vulnerability". I'm guessing you have a custom 404 page that naively echoes the entire request URL as part of the page? You need to be using htmlspecialchars() or HTML::Entities or whatever your language/environment has to escape strings for safe inclusion in HTML content. There is of course more to it than that (sigh), try for starters: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet --ln

Hello Although not stictly a asterisk issue, any help would be apreciated. Firstly a few notes on the snom 360, which I have had on a test bed for the last week. Its a great phone, with a good user interface, both physically and its web based one. At its lastest firmware it does have a few quirks, with regards to the way it handles usernames and passwords on the physical interface. These have

...;<script>alert('xss')</script>' > > That's your problem; they're flagging you for an XSS "vulnerability". > I'm guessing you have a custom 404 page that naively echoes the entire > request URL as part of the page? You need to be using > htmlspecialchars() or HTML::Entities or whatever your > language/environment has to escape strings for safe inclusion in HTML > content. There is PHP generated 404 page. I'll check that with web developer. What's strange, I'm trying to reproduce this and I don't see that string. Trustwave su...

...string to return $sReturn = "<?xml version=\"1.0\"?>\r\n<result state=\"failure\">\r\n<error>$errstr</error>\r\n</result>\r\n"; } else { //construct XML to send //search and replace HTML chars in SQL first $sSQL = HTMLSpecialChars($sSQL); $sSend = "<?xml version=\"1.0\"?>\r\n<request>\r\n<connectionstring>$this->sConnectionString </connectionstring>\r\n<sql>$sSQL</sql>\r\n</request>\r\n"; //write request fputs($fToOpen, $sSend); //now read r...

...string to return $sReturn = "<?xml version=\"1.0\"?>\r\n<result state=\"failure\">\r\n<error>$errstr</error>\r\n</result>\r\n"; } else { //construct XML to send //search and replace HTML chars in SQL first $sSQL = HTMLSpecialChars($sSQL); $sSend = "<?xml version=\"1.0\"?>\r\n<request>\r\n<connectionstring>$this->sConnectionString </connectionstring>\r\n<sql>$sSQL</sql>\r\n</request>\r\n"; //write request fputs($fToOpen, $sSend); //now read r...