trabasancres
New Member
I've been using the free Firefox extension XSS Me from Security Compass to test for XSS problems. However, using what I understand to be safe filtering, XSS me still reports warnings. Are these accurate warnings or spurious?Using the code below as a testcase:\[code\]<form method="post" action=""><input type="text" name="param" value="http://stackoverflow.com/questions/2102836/<?php echo htmlentities($_POST['param'])?>"><input type="submit"></form><?php echo htmlentities($_POST['param'])?>\[/code\]I run some nasties by hand but none of them are executed in the browser, and using Charles debugging proxy I can see that the response is encoded as expected.However, XSS Me reports a number of warnings, as if it can see the unencoded string in the HTML source:
Looking in Charles at the same time, I can see the strings are encoded and should be safe e.g. \[code\]<IMG SRC=http://stackoverflow.com/questions/2102836/"jav ascript:document.vulnerable=true;">\[/code\]
- Is there a vulnerability I haven't fixed?
- Are these rogue warning messages?
- And if so, is another Firefox extension (Firebug?) conflicting with XSS Me?