Nick Kew wrote:
Morten K. Poulsen wrote:On Wed, 2009-10-28 at 19:06 +0200, antoine wrote:Consider that we have an html form and a php script that handles the posted data. The scenario is that the bad guy writes in the form for example "<script> ... bad javascript code </script>" and post this so when the client get the page we have an attack.Apache is not the right point to protect against things like that. It would be an ugly hack, which would easily be circumvented by the attacker. Use PHP's htmlentities() or strip_tags() on the untrusted data, before echoing it back to the clients. The manual pages explain how to do this.Nevertheless, mod_security offers some protection, where applications are problematic and can't be fixed. I don't know if it would help the OP, because I don't know the root cause of his problem.
Thank you guys for your propositions but don't focus in the security model. In general if i use an input filter can i modify the page's static html code before any dynamic code is inserted ?? --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|