Re: Preventing cross site scripting

Hi,

Just a quick note to say thanks to all the people who have come up with a wealth of different solutions to this problem. It seems to me as if the best solution is to htmlentities() (or similar) the whole lot, then only convert back what you know.

It's good to see that there are projects around trying to deal effectively with XSS. What would be brilliant would be if languages such as php included a builtin function for this. Not only would it make it dead easy, but also, as html standards change over time, the function would presumably be updated in future versions, and then by simply keeping an up to date copy of php (which presumably you would do anyway), your XSS filtering keeps up to date.

Thanks,

Andrew Beverley

Andrew Beverley wrote:

> I am currently writing a web application that, as a small part of it,
Received on Tue Jun 24 17:07:38 2003

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek