On 20 May 2010 15:52, Al <n...@ridersite.org> wrote:

> I agree blacklisting is a flawed approach in general. My approach is to
> strictly confine entry text to a whitelist of benign, acceptable tags. The

But that's not what you've done. You've blacklisted the following patterns:

"error_reporting\(0\)",//Most hacks I've seen make certain they turn
of error reporting
"\<?php",//Here for the heck of it.

and allowed everything else. A couple of examples:

You haven't blacklisted <iframe>

<IMG SRC="javascript:alert('XSS');"> would sail straight through that list.

I can't tell from that list alone, but are your checks
case-insensitive? Because <ScRipT> would pass through a case-sensitive

We can go on like this all day, and at the end of it you still won't
be sure you've blacklisted everything.

The first answer at
is related, also.

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to