[thelist] [Server-side Security] stopping script / html injection
Jonathan Snook
jonathan.snook at gmail.com
Mon Jul 23 21:15:54 CDT 2007
On 7/23/07, Paul Bennett <Paul.Bennett at wcc.govt.nz> wrote:
> I've set up a generic function to check for the following: <, >, <, > and reject the data if they're found.
If you're checking for entities, check for < and > (without
semicolons as most browsers will encode those) and their numeric
counterparts < and > (again, with and without semicolons).
Depending on how you're stripping things, you'll probably want to look
out for someone doing, &<lt;script&>gt;. The <> would get stripped but
depending on your order or regex matching, it might leave valid tags
behind.
There's probably other ways. That's just what I've thought of for now.
More information about the thelist
mailing list