[thelist] Removing tags in an input field: What else to remove?

[Ben Dyer]

Hey guys,

I've written a script in ColdFusion to strip out tags that we don't want 
people to use for input boxes for an administration section.  I've got all 
of the HTML tags (except ones that are kosher like <strong> and <em>), 
including the potentially nasty ones like <script>, <object> and 
<applet>.  It removes ColdFusion tags, everything from <! to > and 
everything from <% to %>.  I've even gotten the Microsoft Word "Save as 
Crappy HTML" tags like <o: > and <w: >.

Basically, is there anything that I'm missing?  I've been running the 
gauntlet of things I can think of: Frontpage webbots (falls under <! 
... >), comments, ColdFusion variables, etc.  Is there anything else that 
could be misused that I haven't thought of?

Thanks!

--Ben


<!-----------------------
Ben Dyer
Senior Internet Developer
Imaginuity Interactive
http://www.imaginuity.com
//---------------------->