WebApp Sec mailing list archives
Preventing cross site scripting
From: Andrew Beverley <andy () andybev com>
Date: Thu, 19 Jun 2003 18:54:20 +0100
I am currently writing a web application that, as a small part of it, needs to display an email message. Obviously the message is potentially in html format, which to display could be sent straight to the browser.
I would like to know the best way of filtering out undesirable html. I understand the best way is to only allow acceptable information, in this case all the different html formatting tags.
However, there is a lot of tags that are acceptable. Another approach would be to strip out all the bad stuff such as <SCRIPT>, <OBJECT>, <APPLET>, and <EMBED> but this is far from ideal because of new tags becoming available and so on.
Are there any functions available (for php) that will take a html page as input and strip out all nasty stuff? Does anyone have suggestions as to how to do this as easy as possible?
Thanks, Andrew Beverley
Current thread:
- Re: Preventing cross site scripting, (continued)
- Re: Preventing cross site scripting Laurian Gridinoc (Jun 20)
- Re: Preventing cross site scripting Tim Greer (Jun 20)
- Re: Preventing cross site scripting Laurian Gridinoc (Jun 21)
- Re: Preventing cross site scripting Tim Greer (Jun 21)
- Message not available
- Re: Preventing cross site scripting Tim Greer (Jun 21)
- Re: Preventing cross site scripting Laurian Gridinoc (Jun 21)
- Re: Preventing cross site scripting Tim Greer (Jun 21)
- Re: Preventing cross site scripting Tim Greer (Jun 20)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- Re: Preventing cross site scripting Alex Lambert (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- RE: Preventing cross site scripting Mutallip Ablimit (Jun 19)
- RE: Preventing cross site scripting Jeremiah Grossman (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)