On Thu, 2010-05-20 at 14:27 +0100, David Otton wrote:

> On 20 May 2010 13:53, Al <n...@ridersite.org> wrote:
> >
> > I have a password-protected, user, on-line editor that I'm hardening against
> > hackers just in case a user's pw is stolen or local PC is infected.
> >
> > The user can enter html tags; but, I restrict the acceptable tags to benign
> > ones. e.g., <p>, <b>, <table>, etc.  e.g., no <embed... <script... etc.
> >
> > Just to be extra safe, I've added a function that parses for executables in
> > the raw, entered text. If found, I post and nasty error message and ignore
> > the entry altogether.
> That's not really going to work. See:
> http://ha.ckers.org/xss.html
> Blacklisting is a fundamentally flawed approach. I suggest using
> http://htmlpurifier.org/ instead.

I agree wth Peter and David, it's not generally a good idea to roll your
own in this case, as the repercussions can be quite large if things go

If you absolutely must though, don't allow any HTML at all, and use
BBCode instead, which you can replace afterwards. Before entering the
data into a database run it through mysql_real_escape_string(), and if
you are displaying any user-entered data, run that through
htmlentities() or something similar.


Reply via email to