Re: Re: The PHP filter class I'm working on (securiity)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



2009/3/15 Martin Zvarík <mzvarik@xxxxxxxxx>:
> "The browser will only execute script in source files from the white-listed
> domains and will disregard everything else, including embedded and inline
> scripts. "
>
> wtf, can't you just take care of the INPUT and type
> strip_tags($_GET['my_name']) ??
>
> This won't be implemented in any browser, can't be.
>
strip_tags() isn't good. it only removes correct markup, IIRC. for
example "<b >>foo>" wouldn't be interpreted as a valid tag.
Often XSS attackers split their scripts to bypass such filters, common
regex patterns and alike. bypassing strip_tags() is easy.
the bad thing: browsers tend to accept a lot of mad markup.
take a look at this: http://ha.ckers.org/xss.html

regards

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux