Al wrote:
> On 5/20/2010 11:23 AM, David Otton wrote:
>> On 20 May 2010 15:52, Al<>  wrote:
>>> I agree blacklisting is a flawed approach in general. My approach is to
>>> strictly confine entry text to a whitelist of benign, acceptable
>>> tags. The
>> But that's not what you've done. You've blacklisted the following
>> patterns:
>> "\<script\x20",
>> "\<embed\x20",
>> "\<object\x20",
>> 'language="javascript"',
>> 'type="text/javascript"',
>> 'language="vbscript\"',
>> 'type="text/vbscript"',
>> 'language="vbscript"',
>> 'type="text/tcl"',
>> "error_reporting\(0\)",//Most hacks I've seen make certain they turn
>> of error reporting
>> "\<?php",//Here for the heck of it.
>> and allowed everything else. A couple of examples:
>> You haven't blacklisted<iframe>
>> <IMG SRC="javascript:alert('XSS');">  would sail straight through that
>> list.
>> I can't tell from that list alone, but are your checks
>> case-insensitive? Because<ScRipT>  would pass through a case-sensitive
>> check.
>> We can go on like this all day, and at the end of it you still won't
>> be sure you've blacklisted everything.
>> The first answer at
>> is related, also.
> I'm not being clear. First pass is thru the blacklist, which effectually
> tells hacker to not bother and totally deletes the entry.
> If the raw entry gets past the blacklist, it must then only contain my
> whitelist tags. e.g., the two examples you cited were caught by the
> whitelist parser.

What exactly does your whitelist parser do?

> And yes, I'm using preg_match() with the "i" arg.
> Note, my blacklist is not looking for tags per se, just the start of a
> bad tag. My users are only suppose to be entering plain text with some
> nice highlighting and lists, etc. The editor will not post anything else.

But who say I have to use your editor?

> Al...

Jim Lucas

   "Some men are born to greatness, some achieve greatness,
       and some have greatness thrust upon them."

Twelfth Night, Act II, Scene V
    by William Shakespeare

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to