Jan G.B. napsal(a):
2009/3/15 Martin Zvarík <mzvarik@xxxxxxxxx>:
"The browser will only execute script in source files from the white-listed
domains and will disregard everything else, including embedded and inline
scripts. "
wtf, can't you just take care of the INPUT and type
strip_tags($_GET['my_name']) ??
This won't be implemented in any browser, can't be.
strip_tags() isn't good. it only removes correct markup, IIRC. for
example "<b >>foo>" wouldn't be interpreted as a valid tag.
Often XSS attackers split their scripts to bypass such filters, common
regex patterns and alike. bypassing strip_tags() is easy.
the bad thing: browsers tend to accept a lot of mad markup.
take a look at this: http://ha.ckers.org/xss.html
regards
Forget to mention htmlspecialchars(), that should take care of everything.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php