|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
RE: Preventing cross site scripting
Date: Fri Jun 20 2003 - 10:58:01 EDT
I couldn't find the mail, but some one, some time before mentioned a plug-in for MS Exchange or MS outlook which converts HTML to RTF format.
I think this approach is a good solution (if no scripting or Form submission is needed), you will simple see the mail with format you gave it, but with no interactive functionality. it should be implemented server side, though.
cheers :)
-----Original Message-----
From: Andrew Beverley [mailto:mail@andybev.com]
Sent: Thursday, June 19, 2003 1:28 PM
To: webappsec@securityfocus.com
Subject: Preventing cross site scripting
I am currently writing a web application that, as a small part of it, needs to display an email message. Obviously the message is potentially in html format, which to display could be sent straight to the browser.
I would like to know the best way of filtering out undesirable html. I understand the best way is to only allow acceptable information, in this case all the different html formatting tags.
However, there is a lot of tags that are acceptable. Another approach would be to strip out all the bad stuff such as <SCRIPT>, <OBJECT>, <APPLET>, and <EMBED> but this is far from ideal because of new tags becoming available and so on.
Are there any functions available (for php) that will take a html page as input and strip out all nasty stuff? Does anyone have suggestions as to how to do this as easy as possible?
Thanks,
Andrew Beverley Received on Sat Jun 21 22:30:21 2003
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:53 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |