Hi all,
I was doing some work today checking on XSS protection auditing the process and I discovered something worrying.
I assume this is some sort of misconfiguration between charsets but I cant fix it.
My sanitiser will ignore < (rightly so) but then some sort of best fit character process deeper in the application converts them into regular < less than signs.
If I run;
INSERT INTO MYTABLE (textfield) value('<script>alert(''XSS'')</script>')
those < characters get changed into < when I view the table data.
Anyone have any ideas how to stop this..?
Thanks