Jan G.B. napsal(a):
2009/3/15 Martin Zvarík <mzva...@gmail.com>:
"The browser will only execute script in source files from the white-listed
domains and will disregard everything else, including embedded and inline
wtf, can't you just take care of the INPUT and type
This won't be implemented in any browser, can't be.
strip_tags() isn't good. it only removes correct markup, IIRC. for
example "<b >>foo>" wouldn't be interpreted as a valid tag.
Often XSS attackers split their scripts to bypass such filters, common
regex patterns and alike. bypassing strip_tags() is easy.
the bad thing: browsers tend to accept a lot of mad markup.
take a look at this: http://ha.ckers.org/xss.html
Forget to mention htmlspecialchars(), that should take care of everything.
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php