Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: whitelisting HTML tags
From: Richard Moore (richwestpoint.ltd.uk)
Date: Wed Nov 02 2005 - 09:30:39 CST
Thomas Chiverton wrote:
> On Wednesday 02 November 2005 15:17, you said:
>>Can you simply limit your input to character markup tags like
>><b>, <i> etc?
> IE allows
> <b style="expression(alert(cookies.password))">
> type attacks, iirc.
Sure, but you don't need to support any attributes at all if
the character markup tags themselves provide sufficient flexibility.
Richard Moore, Principal Software Engineer,
Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England
Tel: +44 161 237 1028
Fax: +44 161 237 1031