Hosting Provided By

Preventing cross site scripting

From: Andrew Beverley <mail(at)andybev.com>
Date: Thu Jun 19 2003 - 14:28:06 EDT

I am currently writing a web application that, as a small part of it, needs to display an email message. Obviously the message is potentially in html format, which to display could be sent straight to the browser.

I would like to know the best way of filtering out undesirable html. I understand the best way is to only allow acceptable information, in this case all the different html formatting tags.

However, there is a lot of tags that are acceptable. Another approach would be to strip out all the bad stuff such as <SCRIPT>, <OBJECT>, <APPLET>, and <EMBED> but this is far from ideal because of new tags becoming available and so on.

Are there any functions available (for php) that will take a html page as input and strip out all nasty stuff? Does anyone have suggestions as to how to do this as easy as possible?

Thanks,

Andrew Beverley Received on Thu Jun 19 21:55:38 2003

This message: [ Message body ]
Next message: Kooper, Larry: "Input validation"
Previous message: Gary H. Jones II: "Re: what does this allow ?"
Next in thread: Jeremiah Grossman: "Re: Preventing cross site scripting"
Reply: Jeremiah Grossman: "Re: Preventing cross site scripting"
Reply: Tim Greer: "Re: Preventing cross site scripting"
Reply: Matt Rohrer: "Re: Preventing cross site scripting"
Reply: Andrew Beverley: "Re: Preventing cross site scripting"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:52 EDT