Vulnerability Development mailing list archives
Re: [imp] sanitizing html
From: mikael.olsson () ENTERNET SE (Mikael Olsson)
Date: Wed, 23 Feb 2000 13:13:16 +0100
Stuart Henderson wrote:
Not sufficiently global, since an attacker can still use, for example hrEf=script:foo -- however, this is tricky to filter without hitting some legitimate addresses, for example http://foo.bar.com/womble.cgi?user=someone&page=something.
Correct. And you can also use UTF-7 (Unicode) chars to make script tags and everything look like something else altogether. This means that ## $data = preg_replace('|<([^>]*)[Ee][Mm][Bb][Ee][Dd]|', '<horde_cleaned_embed', $data); wouldn't protect you at all. -- Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK Phone: +46 (0)660 105 50 Fax: +46 (0)660 122 50 Mobile: +46 (0)70 248 00 33 WWW: http://www.enternet.se E-mail: mikael.olsson () enternet se
Current thread:
- Re: [imp] sanitizing html Stuart Henderson (Feb 21)
- Re: [imp] sanitizing html Mikael Olsson (Feb 23)
- Re: [imp] sanitizing html Marc Slemko (Feb 23)
- Re: [imp] sanitizing html Mikael Olsson (Feb 23)