AppSec Blog

Spot the Vuln - Flag

Every normal man must be tempted, at times, to spit upon his hands, hoist the black flag, and begin slitting throats.
~H.L. Mencken

Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution is posted so you can check your answers. Each exercise is designed to last between 5 and 10 minutes. Do it while you drink your morning coffee and you will be on your way to writing more secure applications.

/** * Encode special characters in a plain-text string for display as HTML. */ Drupal.checkPlain = function(str) { str = String(str); var replace = { '&': '&amp;', '"': '&quot;', '<': '&lt;', '>': '&gt;' }; for (var character in replace) { str = str.replace(character, replace[character]); } return str; };
About the Authors:
Brett Hardin and Billy Rios run, a website dedicated to helping developers understand secure coding practices. You can find out more about the authors by visiting


Posted March 7, 2011 at 3:09 PM | Permalink | Reply


I don't see any encoding going on here'' just a simple string replace with the same characters. Am I missing something?

Posted March 11, 2011 at 5:13 PM | Permalink | Reply

Patrick Thomas

Looks like the formatting got corrupted when it was copied from the main site. The replacement chars should be the expected HTML entities, so that's a red herring. See the original:
There is a vuln there, but it's subtle.
The solution is now posted as well:

Post a Comment


* Indicates a required field.