On Wed, 13 Nov 2002, Steven M. Christey wrote: > Being able to place arbitrary HTML into an intermediate web page is > dangerous for other reasons (this is sometimes called "HTML > injection," but I view it as another flavor of XSS). For example, > this would allow attackers to use META-REFRESH style attacks to > redirect victims away from the intended web site. ..or to redirect victims to a script on the intended web site that does something (i e, sending mails or posting Usenet messages under the victim's name). It's not just about stealing cookies. // Ulf Harnhammar VSU Security ulfh@update.uu.se
