[thelist] What to watch for when you allow external text to be included in your page?
Alliax
damiencola at wanadoo.fr
Tue Dec 4 17:37:48 CST 2001
Hello,
Finally I thought that the most feared characters were
< and > as well as "
so for example some malicious text could be
"><script>document.reload()</script>
SO this function would solve this problem:
$mytext = htmlspecialchars($mytext)
But once again, I don't know what an experienced hacker could come up with,
maybe they can do something without having to use < or >
I don't know, I'll tell you if I have a bad experience to learn from.
----- Original Message -----
From: Alliax <damiencola at wanadoo.fr>
> Hi John, thank you for your PHP functions, I'll use them.
> Althought breaking the HTML code can be annoying, when I said 'what do I have
to
> watch for?' I was thinking of malicious actions, like using server side
include
> to run program on the server and possibly erase the file of my web server.
> > Be careful what you put in the field that you draw alt="" text from. If that
> > field has a ">" in it, the <img) tag you are writing the alt="" text into
> > will be ended by that ">". I dunno what'd happen if you did
> > htmlspecialchars() on it...if the character entities would print or
> > translate when included as alt="" text...In IE 6, alt=">" renders an
> > images alt="" text as a ">", ymmv.
>
>
>
>
>
> ---------------------------------------
> For unsubscribe and other options, including
> the Tip Harvester and archive of TheList go to:
> http://lists.evolt.org Workers of the Web, evolt !
More information about the thelist
mailing list