Nmap Security Scanner
 Intro
Ref Guide
Install Guide
Download
Changelog
Book
Docs
Security Lists
Nmap Hackers
Nmap Dev
Bugtraq
Full Disclosure
Pen Test
Basics
More
Security Tools
Pass crackers
Sniffers
Vuln Scanners
Web scanners
Wireless
Exploitation
Packet crafters
More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
|
 |
WebApp Sec
mailing list archives
Preventing cross site scripting
From: Andrew Beverley <andy () andybev com>
Date: Thu, 19 Jun 2003 18:54:20 +0100
I am currently writing a web application that, as a small part of it,
needs to display an email message. Obviously the message is potentially
in html format, which to display could be sent straight to the browser.
I would like to know the best way of filtering out undesirable html. I
understand the best way is to only allow acceptable information, in this
case all the different html formatting tags.
However, there is a lot of tags that are acceptable. Another approach
would be to strip out all the bad stuff such as <SCRIPT>, <OBJECT>,
<APPLET>, and <EMBED> but this is far from ideal because of new tags
becoming available and so on.
Are there any functions available (for php) that will take a html page
as input and strip out all nasty stuff? Does anyone have suggestions as
to how to do this as easy as possible?
Thanks,
Andrew Beverley
 By Date 
By Thread
Current thread:
Re: Preventing cross site scripting Matt Rohrer (Jun 20)
Re: Preventing cross site scripting Andrew Beverley (Jun 24)
Preventing cross site scripting Andrew Beverley (Jun 19)
RE: Preventing cross site scripting David Cameron (Jun 19)
|
|
