--- Arnout Boks <[EMAIL PROTECTED]> wrote: > But about the XSS attacks: what is a XSS attack, and is there > a way I can let users still use some HTML tags (like <B> and > <BR>)?
You might find this article helpful: http://shiflett.org/articles/foiling-cross-site-attacks One easy way to mitigate most of the risk is to use htmlentities() on any foreign data that you want to output. If you want to allow <b> and <br>, then you can use str_replace() to convert those back: str_replace('<b>', '<b>'); str_replace('</b>', '</b>'); Hope that helps. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
