|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Antigen forwarded attachment
Antigen_MISS
securityfocus.com
Date: Fri Jun 20 2003 - 03:06:52 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
The entire message "RE: Preventing cross site scripting", originally sent to you by Mutallip Ablimit (mutaxinsi.co.jp), has been forwarded to you from the Antigen Quarantine area.
This message may have been re-scanned by Antigen and handled according to the appropriate scan job's settings.
<<Entire Message.eml>>
attached mail follows:
Yes, replace all of the unacceptable tags with "", it will work fine.
And for a plus,
PHP has a strip_tags() function.
Didn't have tried yet, but I think it could be used to remove all
unacceptable tags.
In this case, may be you have to make a list of all allowed tags.
strip_tags($Text, "<allowed tag>");
This will only allows the "<allowed tag>".
Regards,
-----------
Mutellip Ablimit
INSI
mutaxinsi.co.jp
-----Original Message-----
From: David Cameron [mailto:dcameronitis-now.com]
Sent: Friday, June 20, 2003 10:51 AM
To: Andrew Beverley; webappsecsecurityfocus.com
Subject: RE: Preventing cross site scripting
Create a list of unacceptable tags in an array (eg applet, embed), loop
through the array and generate a regexpr based on the array, something of
the form:
<(applet)|(embed).?> and replace all instances with "".
Do the same for any possible closing tags ie:
</(applet)|(embed)> and replace all instances with "".
BTW the RegExpr may be wrong, I'm not all that hot on RegExprs, but you get
the idea.
regards
David Cameron
nOw.b2b
dcameronitis-now.com
> -----Original Message-----
> From: Andrew Beverley [mailto:mailandybev.com]
> Sent: Friday, 20 June 2003 4:28 AM
> To: webappsecsecurityfocus.com
> Subject: Preventing cross site scripting
>
>
> I am currently writing a web application that, as a small part of it,
> needs to display an email message. Obviously the message is
> potentially
> in html format, which to display could be sent straight to
> the browser.
>
> I would like to know the best way of filtering out undesirable html. I
> understand the best way is to only allow acceptable
> information, in this
> case all the different html formatting tags.
>
> However, there is a lot of tags that are acceptable. Another approach
> would be to strip out all the bad stuff such as <SCRIPT>, <OBJECT>,
> <APPLET>, and <EMBED> but this is far from ideal because of new tags
> becoming available and so on.
>
> Are there any functions available (for php) that will take a html page
> as input and strip out all nasty stuff? Does anyone have
> suggestions as
> to how to do this as easy as possible?
>
> Thanks,
>
> Andrew Beverley
>
>
>
>
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]