[thelist] [Server-side Security] stopping script / html injection
Paul Bennett
Paul.Bennett at wcc.govt.nz
Mon Jul 23 20:56:52 CDT 2007
Hi all,
I've been asked to loosen up security checks for part of a web application being released soon. My usual course of action is to set up a strict set of allowed characters and use a regex to check, then strip tags and escape the data before db insertion. Now I've been asked to allow as wide a scope of characters as possible but not allow any HTML or script.
I've set up a generic function to check for the following: <, >, <, > and reject the data if they're found.
Is there any other way a l33t skr1pt k1dd13 could inject HTML / JS into my lovely code?
Paul
More information about the thelist
mailing list