[thelist] Removing tags in an input field: What else to remove?
Ben Dyer
ben_dyer at imaginuity.com
Mon May 14 13:01:37 CDT 2001
Well, to be honest, that's what I would prefer, but I was running into
instances where this really wasn't possible.
For example, I might want to allow the <b> tag. But, I want to do it in a
way that takes both attributes into account, and also scraps other tags
that begin with the letter b, like <br> or <blink>.
So, if I scanned for instances of "<b", I would be allowing "<blink" or, if
I scanned for instances of "<b>", I would be missing "<b >" or "<b
class="whatever">". (Yeah, this is unlikely, but there are other places
where this would be a problem, like with the <a> tag.)
Unfortunately, there seems to be just as many unknowns when you scan to
deny as there are when you scan to approve. I'm just looking for a way
that if regular users of this app try something dumb, that they'll be
rejected and if someone tries something maliciously, that they will be
rejected, too (or at least give up when they realize I'm scanning
everything they enter).
--Ben
At 11:14 AM 5/14/2001, you wrote:
>Hi Ben,
>
> > Basically, is there anything that I'm missing?
>
>It seems like it would be easier (and safer) to allow only your "safe"
>tags, rather than eliminate the "unsafe" tags. Then you have the unknowns
>covered as well..
<!-----------------------
Ben Dyer
Senior Internet Developer
Imaginuity Interactive
http://www.imaginuity.com
//---------------------->
More information about the thelist
mailing list