httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Kogut <>
Subject Re: [users@httpd] Problem with Less Than/Greater Than Characters in URL
Date Sat, 15 Oct 2005 21:45:53 GMT
You said that javascript send a variable to apache. Huh? Isn't javascript
(mostly) client-side? Also, you could also use different characters and then
compensate for that with mod_rewrite, I think. As far as disabling
mod_security, if you use apache as a local testing server you shouldn't need
to worry about security, but if its a production server, I would

On 10/12/05, Marc Rabil <> wrote:
>  Folks,
>  We have a web application that uses JavaScript to add a parameter and a
> value to a URL before sending it to Apache server version 1.3.31. In some
> cases, the value contains the less than (<) or greater than (>) characters
> so we use the JavaScript escape function to convert the characters before
> sending. So for a value such as '<<<', the URL looks like this:
> http://localhost/ourapp/index.htm?value=%3C%3C%3C.
>  This causes Apache to return a 403 Access Forbidden error and says: 'Due
> to the presence of characters known to be used in Cross Site Scripting
> attacks, access is forbidden. This web site does not allow Urls which might
> include embedded HTML tags'.
>  Is there a way to disable this security check or otherwise configure the
> server to permit this type of URL?
>  Thanks in advance for any help,
>  Marc

|| jmkogut ||
|| Networking: Where all your problems are category 5. ||

View raw message