2009/3/15 Martin Zvarík <mzvarik@xxxxxxxxx>: > "The browser will only execute script in source files from the white-listed > domains and will disregard everything else, including embedded and inline > scripts. " > > wtf, can't you just take care of the INPUT and type > strip_tags($_GET['my_name']) ?? > > This won't be implemented in any browser, can't be. > strip_tags() isn't good. it only removes correct markup, IIRC. for example "<b >>foo>" wouldn't be interpreted as a valid tag. Often XSS attackers split their scripts to bypass such filters, common regex patterns and alike. bypassing strip_tags() is easy. the bad thing: browsers tend to accept a lot of mad markup. take a look at this: http://ha.ckers.org/xss.html regards -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
