Unfortunately css attacks are more complicated that that. As is generally
the case with input validation, it's flawed to try to come up with a list of
*bad* things, and filter them out - rather, you should come up with a list
of things that are ok, and *only allow* those...
IE, if i were validating a name, i wouldn't do this:
if string contains < then reject
if string contains > then reject
...
... etc
I'd do this:
if(!eregi("^[a-z0-9 -]+$", $name)){
// bail out with an informative error message
// i can't imagine why a name would have numbers in it but nevermind ;)
}
else{
// trust the input
}
That way, css is made far more difficult. of course, for situations where
more flexibility is required, you can replace < > with their encoded
equivalents and suchlike, but that's not foolproof. the first solution is
generally quicker and more watertight.
Harry M
