[thelist] Removing tags in an input field: What else to remove?

Ben Dyer ben_dyer at imaginuity.com
Mon May 14 13:01:37 CDT 2001


Well, to be honest, that's what I would prefer, but I was running into 
instances where this really wasn't possible.

For example, I might want to allow the <b> tag.  But, I want to do it in a 
way that takes both attributes into account, and also scraps other tags 
that begin with the letter b, like <br> or <blink>.

So, if I scanned for instances of "<b", I would be allowing "<blink" or, if 
I scanned for instances of "<b>", I would be missing "<b >" or "<b 
class="whatever">". (Yeah, this is unlikely, but there are other places 
where this would be a problem, like with the <a> tag.)

Unfortunately, there seems to be just as many unknowns when you scan to 
deny as there are when you scan to approve.  I'm just looking for a way 
that if regular users of this app try something dumb, that they'll be 
rejected and if someone tries something maliciously, that they will be 
rejected, too (or at least give up when they realize I'm scanning 
everything they enter).

--Ben

At 11:14 AM 5/14/2001, you wrote:
>Hi Ben,
>
> > Basically, is there anything that I'm missing?
>
>It seems like it would be easier (and safer) to allow only your "safe" 
>tags, rather than eliminate the "unsafe" tags.  Then you have the unknowns 
>covered as well..

<!-----------------------
Ben Dyer
Senior Internet Developer
Imaginuity Interactive
http://www.imaginuity.com
//---------------------->






More information about the thelist mailing list