On Thu, 2010-05-20 at 14:27 +0100, David Otton wrote: > On 20 May 2010 13:53, Al <news@xxxxxxxxxxxxx> wrote: > > > > I have a password-protected, user, on-line editor that I'm hardening against > > hackers just in case a user's pw is stolen or local PC is infected. > > > > The user can enter html tags; but, I restrict the acceptable tags to benign > > ones. e.g., <p>, <b>, <table>, etc. e.g., no <embed... <script... etc. > > > > Just to be extra safe, I've added a function that parses for executables in > > the raw, entered text. If found, I post and nasty error message and ignore > > the entry altogether. > > That's not really going to work. See: > > http://ha.ckers.org/xss.html > > Blacklisting is a fundamentally flawed approach. I suggest using > http://htmlpurifier.org/ instead. > I agree wth Peter and David, it's not generally a good idea to roll your own in this case, as the repercussions can be quite large if things go wrong! If you absolutely must though, don't allow any HTML at all, and use BBCode instead, which you can replace afterwards. Before entering the data into a database run it through mysql_real_escape_string(), and if you are displaying any user-entered data, run that through htmlentities() or something similar. Thanks, Ash http://www.ashleysheridan.co.uk
