Hi5 HTML filtering stupidity


Hi5, another social networking site, filters HTML code oddly.

Embeds are allowed (I don’t think they used to be), but if there are any percent signs (%) in the embed’s attributes, it doesn’t display. Further testing reveals that hi5 seems to strip out any tag that has attributes that contain any URL-encoded entities in it at all!

For example, this perfectly valid code for a link:

<a href="http://www.google.com/search?q=this%2Fthat">search this/that</a>

will not display properly in a hi5 profile. The <a href="..."> tag gets stripped out because of the %2F (an URL-encoded slash “/”).

The downside for me is that pets that have spaces or accented characters in their name will not display on hi5.

I’m guessing that this is their brain-dead way to prevent XSS (cross-site scripting) vulnerabilities as reported here.

It looks like I’ll have to not encode the flashvars at all on hi5. Hope it works properly…

Information and Links

Join the fray by commenting, tracking what others have to say, or linking to it from your blog.

Information
February 27th, 2007
No Responses
Feeds and Links
Comment Feed
From This Author
Del.icio.us
Digg
Technorati
Categories and Tags
Flash
Hi5

Other Posts
MySpace layouts are a pain
Flash Player security misunderstanding

Write a Comment

Take a moment to comment and tell us what you think. Some basic HTML is allowed for formatting.

Reader Comments

Be the first to leave a comment!