Quote:
Originally posted by LoveShack
Well, this script needs a couple of security modifications--it's open to XSS vulnerabilities big time.
I don't have time to look at the code right now, but perhaps someone who's more familiar with javascript could take a look at this. Using the word "javascript" in the text of a message you're spell checking will let you run whatever you'd like. This needs to be htmlspecialchars()'d and properly handle the word javascript in a message.
|
Can you give an example?
I can't seem to reproduce what you're saying.
The line "$outtext =
htmlentities(stripslashes($checktext));" should prevent what you are experiencing.