Tõnu Samuel wrote: > Many websites are still vulnerable and similar problems happen not depending > on programming language too often: > http://www.jes.ee/~tonu/strip.php
yes, if you use strip_tags() with the whitelist argument the whitelisted tag can be misused.. the php manual warns you about this, so no news.. note that strip_tags() isn't the right function to use against xss (use regexpr, htmlentities() or htmlspecialchars() instead) the solution is: $foo = htmlentities(strip_tags($foo)); or just: $foo = htmlentities($foo); if you need to "white list" some tags use an alias (like [b]bold[/b], etc) and then str_replace (as done by many web applications) tonu: imho this thread is well suited for webappsec but not for fd or bt, also can you remove the word "vulnerability" from the subject of this type of mails? don't misunderstand me, i like informative mails and yours efforts, just post on the right mailing list : ) regards, ascii, http://www.ush.it _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
