2009/3/15 Martin Zvarík <mzva...@gmail.com>:
> "The browser will only execute script in source files from the white-listed
> domains and will disregard everything else, including embedded and inline
> scripts. "
> wtf, can't you just take care of the INPUT and type
> strip_tags($_GET['my_name']) ??
> This won't be implemented in any browser, can't be.
strip_tags() isn't good. it only removes correct markup, IIRC. for
example "<b >>foo>" wouldn't be interpreted as a valid tag.
Often XSS attackers split their scripts to bypass such filters, common
regex patterns and alike. bypassing strip_tags() is easy.
the bad thing: browsers tend to accept a lot of mad markup.
take a look at this: http://ha.ckers.org/xss.html


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to