|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Sverre H. Huseby (shh
thathost.com)Date: Sun Apr 28 2002 - 05:00:41 CDT
[Craig Davison]
| After that, filtering out content between <script*></script> including the
| tags themselves is a good place to start.
|
| You'll also want to:
| - Filter <embed*>, <object*>, <iframe*>, <applet*>
| - Remove the on* attribute from every tag. Examples: <img onClick=...>,
| <<body onLoad=...>
| - Remove <meta> tags with an http-equiv attribute of "Refresh" or
| "Location".
|
| This list is of course far from complete. When you're ready to
| start testing your filter with some real data, you can tweak the
| rules as necessary.
You are black-listing. From a security point of view, white-listing
is preferrable: Instead of removing what you know is bad, you should
let through what you know is good (and drop the unknown).
Sverre.
-- shh
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]