Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
RE: Preventing cross site scripting
From: David Cameron (dcameronitis-now.com)
Date: Thu Jun 19 2003 - 20:50:37 CDT
Create a list of unacceptable tags in an array (eg applet, embed), loop through the array and generate a regexpr based on the array, something of the form:
<(applet)|(embed).?> and replace all instances with "".
Do the same for any possible closing tags ie:
</(applet)|(embed)> and replace all instances with "".
BTW the RegExpr may be wrong, I'm not all that hot on RegExprs, but you get the idea.
> -----Original Message-----
> From: Andrew Beverley [mailto:mailandybev.com]
> Sent: Friday, 20 June 2003 4:28 AM
> To: webappsecsecurityfocus.com
> Subject: Preventing cross site scripting
> I am currently writing a web application that, as a small part of it,
> needs to display an email message. Obviously the message is
> in html format, which to display could be sent straight to
> the browser.
> I would like to know the best way of filtering out undesirable html. I
> understand the best way is to only allow acceptable
> information, in this
> case all the different html formatting tags.
> However, there is a lot of tags that are acceptable. Another approach
> would be to strip out all the bad stuff such as <SCRIPT>, <OBJECT>,
> <APPLET>, and <EMBED> but this is far from ideal because of new tags
> becoming available and so on.
> Are there any functions available (for php) that will take a html page
> as input and strip out all nasty stuff? Does anyone have
> suggestions as
> to how to do this as easy as possible?
> Andrew Beverley