WebApp Sec mailing list archives
RE: Preventing cross site scripting
From: "Mutallip Ablimit" <mutax () insi co jp>
Date: Fri, 20 Jun 2003 11:16:43 +0900
Yes, replace all of the unacceptable tags with "", it will work fine. And for a plus, PHP has a strip_tags() function. Didn't have tried yet, but I think it could be used to remove all unacceptable tags. In this case, may be you have to make a list of all allowed tags. strip_tags($Text, "<allowed tag>"); This will only allows the "<allowed tag>". Regards, ----------- Mutellip Ablimit INSI mutax () insi co jp -----Original Message----- From: David Cameron [mailto:dcameron () itis-now com] Sent: Friday, June 20, 2003 10:51 AM To: Andrew Beverley; webappsec () securityfocus com Subject: RE: Preventing cross site scripting Create a list of unacceptable tags in an array (eg applet, embed), loop through the array and generate a regexpr based on the array, something of the form: <(applet)|(embed).?> and replace all instances with "". Do the same for any possible closing tags ie: </(applet)|(embed)> and replace all instances with "". BTW the RegExpr may be wrong, I'm not all that hot on RegExprs, but you get the idea. regards David Cameron nOw.b2b dcameron () itis-now com
-----Original Message----- From: Andrew Beverley [mailto:mail () andybev com] Sent: Friday, 20 June 2003 4:28 AM To: webappsec () securityfocus com Subject: Preventing cross site scripting I am currently writing a web application that, as a small part of it, needs to display an email message. Obviously the message is potentially in html format, which to display could be sent straight to the browser. I would like to know the best way of filtering out undesirable html. I understand the best way is to only allow acceptable information, in this case all the different html formatting tags. However, there is a lot of tags that are acceptable. Another approach would be to strip out all the bad stuff such as <SCRIPT>, <OBJECT>, <APPLET>, and <EMBED> but this is far from ideal because of new tags becoming available and so on. Are there any functions available (for php) that will take a html page as input and strip out all nasty stuff? Does anyone have suggestions as to how to do this as easy as possible? Thanks, Andrew Beverley
Current thread:
- Re: Preventing cross site scripting, (continued)
- Re: Preventing cross site scripting Laurian Gridinoc (Jun 21)
- Re: Preventing cross site scripting Tim Greer (Jun 21)
- Re: Preventing cross site scripting Tim Greer (Jun 20)
- Re: Preventing cross site scripting Matt Rohrer (Jun 20)
- Re: Preventing cross site scripting Andrew Beverley (Jun 24)
- Preventing cross site scripting Andrew Beverley (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- RE: Preventing cross site scripting David Cameron (Jun 19)
- Re: Preventing cross site scripting Alex Lambert (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- RE: Preventing cross site scripting Mutallip Ablimit (Jun 19)
- RE: Preventing cross site scripting Jeremiah Grossman (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- Re: Preventing cross site scripting Alex Lambert (Jun 19)
- Re: Preventing cross site scripting Bob Lee (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 19)
- Re: Preventing cross site scripting Tim Greer (Jun 20)
- RE: Preventing cross site scripting Mutellip Ablimit (Jun 20)
- Re: Preventing cross site scripting Tim Greer (Jun 20)