|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Preventing cross site scripting
From: Andrew Beverley (andy
andybev.com)
Date: Thu Jun 19 2003 - 12:54:20 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I am currently writing a web application that, as a small part of it,
needs to display an email message. Obviously the message is potentially
in html format, which to display could be sent straight to the browser.
I would like to know the best way of filtering out undesirable html. I
understand the best way is to only allow acceptable information, in this
case all the different html formatting tags.
However, there is a lot of tags that are acceptable. Another approach
would be to strip out all the bad stuff such as <SCRIPT>, <OBJECT>,
<APPLET>, and <EMBED> but this is far from ideal because of new tags
becoming available and so on.
Are there any functions available (for php) that will take a html page
as input and strip out all nasty stuff? Does anyone have suggestions as
to how to do this as easy as possible?
Thanks,
Andrew Beverley
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]