The Platform for Privacy Preferences 1.0 (P3P1.0) Specification. W3C Recommendation 16 April 2002 This Version: Latest Version: Previous Version: Editor: Massimo Marchiori, W3C / MIT / University of Venice, (massimo@w3.org) Authors: Lorrie Cranor, AT&T Marc Langheinrich, ETH Zurich Massimo Marchiori, W3C / MIT / University of Venice Martin Presler-Marshall, IBM Joseph Reagle, W3C/MIT Please refer to the errata for this document, which may include some normative corrections. See also translations. Copyright ©2002 W3C® (MIT, INRIA, Keio), All Rights Reserved. Abstract This is the specification of the Platform for Privacy Preferences (P3P).
Status of This Document This section describes the status of this document at the time of its publication. This is the W3C Recommendation of the the Platform for Privacy Preferences 1.0 (P3P1.0) Specification. Please report errors in this document to www-p3p-public-comments@w3.org (publicly archived). Table of Contents. Parameter Manipulation.
When a user makes selections on an HTML page, the selection is typically stored as form field values and sent to the application as an HTTP request (GET or POST). HTML can also store field values as Hidden Fields, which are not rendered to the screen by the browser but are collected and submitted as parameters during form submissions. Whether these form fields are pre-selected (drop down, check boxes etc.), free form or hidden, they can all be manipulated by the user to submit whatever values he/she chooses. In most cases this is as simple as saving the page using "view source", "save", editing the HTML and re-loading the page in the web browser. As an example an application uses a simple form to submit a username and password to a CGI for authentication using HTTP over SSL.
Hidden Form Fields represent a convenient way for developers to store data in the browser and are one of the most common ways of carrying data between pages in wizard type applications. Drx: Internet Security [Computers: Security: Internet] - loadaverageZero. XSS (Cross Site Scripting) Cheat Sheet. Last revision (mm/dd/yy): 07/4/2018 This cheat sheet lists a series of XSS attacks that can be used to bypass certain XSS defensive filters. Please note that input filtering is an incomplete defense for XSS which these tests can be used to illustrate. Basic XSS Test Without Filter Evasion This is a normal XSS JavaScript injection, and most likely to get caught but I suggest trying it first (the quotes are not required in any modern browser so they are omitted here): XSS Locator (Polygot) The following is a "polygot test XSS payload.
" javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'> Image XSS using the JavaScript directive Image XSS using the JavaScript directive (IE7.0 doesn't support the JavaScript directive in context of an image, but it does in other contexts, but the following show the principles that would work in other tags as well: No quotes and no semicolon Case insensitive XSS attack vector HTML entities Malformed A tags <! <!