I have a password-protected, user, on-line editor that I'm hardening against
hackers just in case a user's pw is stolen or local PC is infected.
The user can enter html tags; but, I restrict the acceptable tags to benign
ones. e.g., <p>, <b>, <table>, etc. e.g., no <embed... <script... etc.
Just to be extra safe, I've added a function that parses for executables in the
raw, entered text. If found, I post and nasty error message and ignore the entry
altogether.
Here are my regex patterns. I tried finding a complete list of browser
executables; but was unsuccessful, probably because I didn't use the right key
words.
Anyone have suggestions for additional patterns?
$securityPatternsArray=array(
"\<script\x20",
"\<embed\x20",
"\<object\x20",
'language="javascript"',
'type="text/javascript"',
'language="vbscript\"',
'type="text/vbscript"',
'language="vbscript"',
'type="text/tcl"',
"error_reporting\(0\)",//Most hacks I've seen make certain they turn of error
reporting
"\<?php",//Here for the heck of it.
);
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
