WebApp Sec mailing list archives
Re: Preventing cross site scripting
From: Bob Lee <crazybob () crazybob org>
Date: Thu, 19 Jun 2003 21:19:17 -0500
You can also embed javascript in seemingly harmless tags such as "img" and in event handlers, such as "onload".
Bob On Thursday, June 19, 2003, at 08:50 PM, David Cameron wrote:
Create a list of unacceptable tags in an array (eg applet, embed), loop through the array and generate a regexpr based on the array, something of the form:<(applet)|(embed).?> and replace all instances with "". Do the same for any possible closing tags ie: </(applet)|(embed)> and replace all instances with "".BTW the RegExpr may be wrong, I'm not all that hot on RegExprs, but you get the idea.regards David Cameron nOw.b2b dcameron () itis-now com-----Original Message----- From: Andrew Beverley [mailto:mail () andybev com] Sent: Friday, 20 June 2003 4:28 AM To: webappsec () securityfocus com Subject: Preventing cross site scripting I am currently writing a web application that, as a small part of it, needs to display an email message. Obviously the message is potentially in html format, which to display could be sent straight to the browser. I would like to know the best way of filtering out undesirable html. I understand the best way is to only allow acceptable information, in this case all the different html formatting tags. However, there is a lot of tags that are acceptable. Another approach would be to strip out all the bad stuff such as <SCRIPT>, <OBJECT>, <APPLET>, and <EMBED> but this is far from ideal because of new tags becoming available and so on. Are there any functions available (for php) that will take a html page as input and strip out all nasty stuff? Does anyone have suggestions as to how to do this as easy as possible? Thanks, Andrew Beverley
Current thread:
- Re: Preventing cross site scripting, (continued)
- Re: Preventing cross site scripting Matt Rohrer (Jun 20)
- Re: Preventing cross site scripting Andrew Beverley (Jun 24)
- Preventing cross site scripting Andrew Beverley (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- RE: Preventing cross site scripting David Cameron (Jun 19)
- Re: Preventing cross site scripting Alex Lambert (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- RE: Preventing cross site scripting Mutallip Ablimit (Jun 19)
- RE: Preventing cross site scripting Jeremiah Grossman (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- Re: Preventing cross site scripting Alex Lambert (Jun 19)
- Re: Preventing cross site scripting Bob Lee (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- RE: Preventing cross site scripting David Cameron (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- RE: Preventing cross site scripting Jeremiah Grossman (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 20)
- RE: Preventing cross site scripting Mutellip Ablimit (Jun 20)
- Re: Preventing cross site scripting Tim Greer (Jun 20)
- Re: Preventing cross site scripting Tim Greer (Jun 20)