[thelist] [Server-side Security] stopping script / html injection

Paul Bennett Paul.Bennett at wcc.govt.nz
Mon Jul 23 20:56:52 CDT 2007 

Hi all,

I've been asked to loosen up security checks for part of a web application being released soon. My usual course of action is to set up a strict set of allowed characters and use a regex to check, then strip tags and escape the data before db insertion. Now I've been asked to allow as wide a scope of characters as possible but not allow any HTML or script.

I've set up a generic function to check for  the following: <, >, &lt;, &gt; and reject the data if they're found.

Is there any other way a l33t skr1pt k1dd13 could inject HTML / JS into my lovely code?

Paul

More information about the thelist mailing list