WebApp Sec: Re: Preventing cross site scripting

[Andrew Beverley <andy () andybev com>]

Hi,

Just a quick note to say thanks to all the people who have come up with 
a wealth of different solutions to this problem. It seems to me as if 
the best solution is to htmlentities() (or similar) the whole lot, then 
only convert back what you know.
It's good to see that there are projects around trying to deal 
effectively with XSS. What would be brilliant would be if languages such 
as php included a builtin function for this. Not only would it make it 
dead easy, but also, as html standards change over time, the function 
would presumably be updated in future versions, and then by simply 
keeping an up to date copy of php (which presumably you would do 
anyway), your XSS filtering keeps up to date.
Thanks,

Andrew Beverley


Andrew Beverley wrote:

> I am currently writing a web application that, as a small part of it,
> needs to display an email message. Obviously the message is potentially
> in html format, which to display could be sent straight to the browser.
>
> I would like to know the best way of filtering out undesirable html. I
> understand the best way is to only allow acceptable information, in this
> case all the different html formatting tags.
>
> However, there is a lot of tags that are acceptable. Another approach
> would be to strip out all the bad stuff such as <SCRIPT>, <OBJECT>,
> <APPLET>, and <EMBED> but this is far from ideal because of new tags
> becoming available and so on.
>
> Are there any functions available (for php) that will take a html page
> as input and strip out all nasty stuff? Does anyone have suggestions as
> to how to do this as easy as possible?
>
> Thanks,
>
> Andrew Beverley