[thelist] [Server-side Security] stopping script / html injection

Jonathan Snook jonathan.snook at gmail.com
Mon Jul 23 21:15:54 CDT 2007


On 7/23/07, Paul Bennett <Paul.Bennett at wcc.govt.nz> wrote:
> I've set up a generic function to check for  the following: <, >, &lt;, &gt; and reject the data if they're found.

If you're checking for entities, check for &lt and &gt (without
semicolons as most browsers will encode those) and their numeric
counterparts &#60; and &#62; (again, with and without semicolons).

Depending on how you're stripping things, you'll probably want to look
out for someone doing, &<lt;script&>gt;. The <> would get stripped but
depending on your order or regex matching, it might leave valid tags
behind.

There's probably other ways. That's just what I've thought of for now.



More information about the thelist mailing list