Full Disclosure mailing list archives
Re: strip_tags() but not only vulnerability
From: ascii <ascii () katamail com>
Date: Thu, 30 Mar 2006 02:22:08 +0200
Tõnu Samuel wrote:
Many websites are still vulnerable and similar problems happen not depending on programming language too often: http://www.jes.ee/~tonu/strip.php
yes, if you use strip_tags() with the whitelist argument the whitelisted tag can be misused.. the php manual warns you about this, so no news.. note that strip_tags() isn't the right function to use against xss (use regexpr, htmlentities() or htmlspecialchars() instead) the solution is: $foo = htmlentities(strip_tags($foo)); or just: $foo = htmlentities($foo); if you need to "white list" some tags use an alias (like [b]bold[/b], etc) and then str_replace (as done by many web applications) tonu: imho this thread is well suited for webappsec but not for fd or bt, also can you remove the word "vulnerability" from the subject of this type of mails? don't misunderstand me, i like informative mails and yours efforts, just post on the right mailing list : ) regards, ascii, http://www.ush.it _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- strip_tags() but not only vulnerability Tõnu Samuel (Mar 29)
- Re: strip_tags() but not only vulnerability ascii (Mar 29)