RE: Preventing cross site scripting

From: Mutellip Ablimit <mutax(at)insi.co.jp>
Date: Fri Jun 20 2003 - 00:40:48 EDT

This strip_tags($Text, "<allowed tag>"); will be helpful then. (4php)

Regards.

---

Mutellip Ablimit
mutax@insi.co.jp

-----Original Message-----
From: Tim Greer [mailto:chatmaster@charter.net] Sent: Friday, June 20, 2003 1:03 PM
To: Jeremiah Grossman; Mutellip Ablimit
Cc: webappsec@securityfocus.com
Subject: Re: Preventing cross site scripting

• Original Message ----- From: "Jeremiah Grossman" <jeremiah@whitehatsec.com> To: "Mutellip Ablimit" <mutax@insi.co.jp> Cc: <webappsec@securityfocus.com> Sent: Thursday, June 19, 2003 8:00 PM Subject: RE: Preventing cross site scripting

> certainly, this is probably the best practice no matter the method.

No, not the best method. This is illogical. You can't "check" for bad tags. You can only verify "good" tags. To do otherwise, would be to blindly accept tags--there are no other alternatives to that logic If you only enable good tags, you have control, and you don't have to check for bad tags--since you didn't enable them. otherwise your logic goes into an endless loop and you'll never be able to get past this problem. It will also make it unnecessarily complicated and inefficient, for such a simple task.

--
Regards,
Tim Greer  chatmaster@charter.net
Server administration, security, programming, consulting.

Received on Fri Jun 20 08:34:25 2003