On 20 May 2010 13:53, Al <n...@ridersite.org> wrote: > > I have a password-protected, user, on-line editor that I'm hardening against > hackers just in case a user's pw is stolen or local PC is infected. > > The user can enter html tags; but, I restrict the acceptable tags to benign > ones. e.g., <p>, <b>, <table>, etc. e.g., no <embed... <script... etc. > > Just to be extra safe, I've added a function that parses for executables in > the raw, entered text. If found, I post and nasty error message and ignore > the entry altogether.
That's not really going to work. See: http://ha.ckers.org/xss.html Blacklisting is a fundamentally flawed approach. I suggest using http://htmlpurifier.org/ instead. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
