|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: Preventing cross site scripting
From: David Cameron (dcameron
itis-now.com)
Date: Thu Jun 19 2003 - 20:50:37 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Create a list of unacceptable tags in an array (eg applet, embed), loop through the array and generate a regexpr based on the array, something of the form:
<(applet)|(embed).?> and replace all instances with "".
Do the same for any possible closing tags ie:
</(applet)|(embed)> and replace all instances with "".
BTW the RegExpr may be wrong, I'm not all that hot on RegExprs, but you get the idea.
regards
David Cameron
nOw.b2b
dcameronitis-now.com
> -----Original Message-----
> From: Andrew Beverley [mailto:mailandybev.com]
> Sent: Friday, 20 June 2003 4:28 AM
> To: webappsecsecurityfocus.com
> Subject: Preventing cross site scripting
>
>
> I am currently writing a web application that, as a small part of it,
> needs to display an email message. Obviously the message is
> potentially
> in html format, which to display could be sent straight to
> the browser.
>
> I would like to know the best way of filtering out undesirable html. I
> understand the best way is to only allow acceptable
> information, in this
> case all the different html formatting tags.
>
> However, there is a lot of tags that are acceptable. Another approach
> would be to strip out all the bad stuff such as <SCRIPT>, <OBJECT>,
> <APPLET>, and <EMBED> but this is far from ideal because of new tags
> becoming available and so on.
>
> Are there any functions available (for php) that will take a html page
> as input and strip out all nasty stuff? Does anyone have
> suggestions as
> to how to do this as easy as possible?
>
> Thanks,
>
> Andrew Beverley
>
>
>
>
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]