--- Leon Rosenberg wrote: > Hmm, the OP said: >> I am trying to find a best solution to prevent >> Cross site scripting attacks.
Oops. Yep, I guess I latched on to the discussion after the "but I need to allow markup" bit; sorry. > Allowing the user to inject HTML markup in your > pages is the road to hell anyway. Yeah, it sucks, but sometimes it's a reality. I've never (I think) needed to support more than the obvious formatting tags; I just stripped out any attributes and left only the tags. Lately I had to support <div.../> tags but I only allowed a single name or id attribute (and it's not public-access anyway) and I may just switch over to using something like Textile/etc. and not worry about it at all. > But hey, feel free to email me the urls of the sites > which allow markup, we will find some "other" usage > for them. :p d. ____________________________________________________________________________________ TV dinner still cooling? Check out "Tonight's Picks" on Yahoo! TV. http://tv.yahoo.com/ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]