On Sun, Mar 14, 2010 at 12:13 PM, Ashley Sheridan <ash@xxxxxxxxxxxxxxxxxxxx>wrote: > > I have to deal with a lot of CMS's, so I expect the users to enter some > HTML code through a rich-text editor, and they expect to be able to. > I'd love to have a copy of whatever function you use to filter out bad HTML/js/flash for use cases where users are allowed to enter html. I'm aware of strip_tags() "allowed tags" param, but haven't got a good list for it. > > Aside from that, it's good to have a complete copy of the code a user > attempted to insert, to see the methodology of an attack should it ever > occur. > I should've said "possibly log & mail the details of the attempt", which is what i'd do ;)
