[thelist] What to watch for when you allow external text to be included in your page?

Alliax damiencola at wanadoo.fr
Wed Nov 28 17:05:17 CST 2001


Hello,
I'd like to know what to watch for when I will make an external input part of my
html page ?

My situation is that I dynamically generate an IMG tag with PHP,
the SRC and ALT attributes are filled with data from a database

So I would like to know what to watch for before entering the data in the
database.

(I am thinking of some sort of server include, althought I don't know well the
syntax used for them, but surely others know and could try)
for exemple, would something like this be a threat (assume I know nothing of the
syntax) ?
<IMG SRC=http://www.server.com/image.gif
ALT="<!exec='/erase -everything -onServer'>" width="80">

What can you think of?

Thank you.







More information about the thelist mailing list