On Sun, Mar 14, 2010 at 12:13 PM, Ashley Sheridan

> I have to deal with a lot of CMS's, so I expect the users to enter some
> HTML code through a rich-text editor, and they expect to be able to.

I'd love to have a copy of whatever function you use to filter out bad
HTML/js/flash for use cases where users are allowed to enter html.
I'm aware of strip_tags() "allowed tags" param, but haven't got a good list
for it.

> Aside from that, it's good to have a complete copy of the code a user
> attempted to insert, to see the methodology of an attack should it ever
> occur.

I should've said "possibly log & mail the details of the attempt", which is
what i'd do ;)

Reply via email to