From: Bob Lee (crazybobcrazybob.org)
Date: Thu Jun 19 2003 - 21:19:17 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

You can also embed javascript in seemingly harmless tags such as "img"
and in event handlers, such as "onload".

Bob

On Thursday, June 19, 2003, at 08:50 PM, David Cameron wrote:

> Create a list of unacceptable tags in an array (eg applet, embed),
> loop through the array and generate a regexpr based on the array,
> something of the form:
> <(applet)|(embed).?> and replace all instances with "".
>
> Do the same for any possible closing tags ie:
> </(applet)|(embed)> and replace all instances with "".
>
> BTW the RegExpr may be wrong, I'm not all that hot on RegExprs, but
> you get the idea.
>
> regards
> David Cameron
> nOw.b2b
> dcameronitis-now.com
>
>> -----Original Message-----
>> From: Andrew Beverley [mailto:mailandybev.com]
>> Sent: Friday, 20 June 2003 4:28 AM
>> To: webappsecsecurityfocus.com
>> Subject: Preventing cross site scripting
>>
>>
>> I am currently writing a web application that, as a small part of it,
>> needs to display an email message. Obviously the message is
>> potentially
>> in html format, which to display could be sent straight to
>> the browser.
>>
>> I would like to know the best way of filtering out undesirable html. I
>> understand the best way is to only allow acceptable
>> information, in this
>> case all the different html formatting tags.
>>
>> However, there is a lot of tags that are acceptable. Another approach
>> would be to strip out all the bad stuff such as <SCRIPT>, <OBJECT>,
>> <APPLET>, and <EMBED> but this is far from ideal because of new tags
>> becoming available and so on.
>>
>> Are there any functions available (for php) that will take a html page
>> as input and strip out all nasty stuff? Does anyone have
>> suggestions as
>> to how to do this as easy as possible?
>>
>> Thanks,
>>
>> Andrew Beverley
>>
>>
>>
>>
>>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]