Yes it is much safer to reject rather than sanitize. If bad tags are detected then reject the input out of hand. If you don't your sanitizer could be turned against you and end up changing slightly dangerous tags into really dangerous tags. What happens here <scr<script>ipt> when a sanitizer is set to remove all of the script tags? If the user made a genuine mistake then let them fix it. Otherwise it is a hack attempt and not worth your trouble.
On Jul 13, 8:08 am, Horst Gutmann <[EMAIL PROTECTED]> wrote: > The problem with whatever system you use, is the huge amount of ways to > inject XSS attacks into HTML thanks to problems in the various browser > engines. A few weeks I found a nice listing (nice looooong listing) but > can't remember the URL anymore :-/ > > .. _BeautifulSoup:http://www.crummy.com/software/BeautifulSoup/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
