Is the general wisdom that using strip_tags on input is sufficient to protect against XSS vulnerabilities from that input? I have been doing some reading on it but haven't found anything that suggests a vulnerability that removing the tags in this way would not cure.
Are there multi-level encodings that can get past strip_tags? I probably should also be doing a urldecode before strip_tags to get around any hex encodings, or does strip_tags handle that? Thanks for any info, -- Tom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
