|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: whitelisting HTML tags
From: Richard Moore (rich
westpoint.ltd.uk)
Date: Wed Nov 02 2005 - 09:30:39 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Thomas Chiverton wrote:
> On Wednesday 02 November 2005 15:17, you said:
>
>>Can you simply limit your input to character markup tags like
>><b>, <i> etc?
>
>
> No.
> IE allows
> <b style="expression(alert(cookies.password))">
> type attacks, iirc.
Sure, but you don't need to support any attributes at all if
the character markup tags themselves provide sufficient flexibility.
Rich.
--
Richard Moore, Principal Software Engineer,
Westpoint Ltd,
Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England
Tel: +44 161 237 1028
Fax: +44 161 237 1031
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]