Edit - Information Security Stack Exchange

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

Rev

Thank you for your response. This code is used on production in a very large company. I am a security researcher and I am trying to explain why this is insecure for them. But I still believe it's impossible to exploit, if not, how?

LucasNN
– LucasNN

2013-02-07 04:08:37 +00:00
Commented Feb 7, 2013 at 4:08
2

The lack of a practical exploit is a technicality - if someone discovers a heap spray bug in an application, they still call it a security vulnerability even if they don't have a practical exploit. Even if we can't find a way around the regex, it doesn't mean someone else won't. Notice that Brian's answer already got partway to some valid / useful JavaScript. A determined attacker will spend hours or even days trying to break this filter, whereas we're only giving it a cursory glance. If you're doing a test or review of the code, you need to count it as a vulnerability.

Polynomial
– Polynomial

2013-02-07 11:01:34 +00:00
Commented Feb 7, 2013 at 11:01

Add a comment |

Correct minor typos or mistakes
Clarify meaning without changing it
Add related resources or links
Always respect the author’s intent
Don’t use edits to reply to the author

create code fences with backticks ` or tildes ~
```
like so
```
add language identifier to highlight code
```python
def function(foo):
print(foo)
```
put returns between paragraphs
for linebreak add 2 spaces at end
_italic_ or **bold**
quote by placing > at start of line
to make links (use https whenever possible)

<https://example.com>

[example](https://example.com)

<a href="https://example.com">example</a>

formatting help »
answering help »