Questions tagged [html]

HTML (HyperText Markup Language) is a language used to create web pages using tags inline with the content to indicate to browsers how to display that content, using the tags to interpret formatting, images, scripts and other content.

The HTML tag should be used for questions referring to the security of the HTML language, or implementations based upon it.

HTML uses tags inline with the content to indicate to browsers how to display that content, using the tags to interpret formatting, images, scripts and other content.

From a security perspective, most vulnerabilities are down to the functionality allowed by scripts (e.g. JavaScript), embedded content (e.g. Flash) and other plugins.

331 questions

107

votes

5 answers

Should websites be allowed to disable autocomplete on forms or fields?

Currently, there is an HTML form/input attribute called autocomplete, which, when set to off, disables autocomplete/autofill for that form or element. Some banks seem to use this to prevent password managers from working. These days sites like Yahoo…

web-application web-browser html

asked Jan 25 '14 at 09:20

Manishearth

8,237
5
34
56

votes

8 answers

What could an "Most WAFs when blocking XSS will block obvious tags like script and iframe, but they don't block img. Theoretically, you can img src='OFFSITE URL', but what's the worse that can happen? I know you can steal IPs with it, but is that it?

xss html

asked Sep 01 '16 at 00:42

user1910744

votes

2 answers

Are EU cookie consent forms safe?

Does the EU consent form system pose a new security risk? Today we have to click OK on about 20 cookie consent forms every week, where previously we could mostly dismiss internet forms as being invasive and risky. There are so many EU consent forms,…

web-browser cookies html

asked Sep 03 '18 at 10:08

LifeInTheTrees

votes

1 answer

"Allow __ to be fullscreen?"

I have been asking myself for a while what's the purpose of that popup showing up in pretty much all the modern browsers upon entering the full-screen mode of a video or website. It appears to be a security measure against some sort of potential…

web-application web-browser html

asked Aug 22 '14 at 00:37

Nicola Miotto

votes

6 answers

Anonymous surveys that aren't so anonymous

In the past I have completed an 'anonymous' survey at work only to find that my employer was able to garner a lot of not-anonymous information from this survey. Location, name of manager, etc. None of this information was provided in the survey. …

javascript asp.net html

asked Mar 07 '16 at 10:53

iShaymus

votes

8 answers

Is it ever safe to open a suspicious HTML file (e.g. email attachment)?

If I receive an email that has an attachment called something like safe-link.html would it ever be safe to open this file? Clearly, HTML files may have malicious scripts embedded that could run when opened with a browser. However, I'm wondering if…

malware email phishing html

asked Mar 29 '19 at 11:39

Matthew

votes

4 answers

Have computer criminals been known to exploit easily-edited websites like Wikipedia to embed malicious scripts?

When I was reading a page on Wikipedia several months ago (December 2014) I saw what looked like a pop-up window from BT, but I soon realized that when I closed the page the pop-up disappeared. I then opened Firebug and inspected the box and saw…

malware web-browser attacks javascript html

asked Aug 13 '15 at 17:33

Alexander Kalian

votes

7 answers

Security risks of user generated HTML?

I am creating a website that allows people to upload HTML content. Currently these are the tags that are banned: