Re: [Full-disclosure] strip_tags() but not only vulnerability
- From: ascii <ascii@xxxxxxxxxxxx>
- Date: Thu, 30 Mar 2006 02:22:08 +0200
Tõnu Samuel wrote:
Many websites are still vulnerable and similar problems happen not depending
on programming language too often:
http://www.jes.ee/~tonu/strip.php
yes, if you use strip_tags() with the whitelist argument the whitelisted
tag can be misused.. the php manual warns you about this, so no news..
note that strip_tags() isn't the right function to use against xss (use
regexpr, htmlentities() or htmlspecialchars() instead)
the solution is:
$foo = htmlentities(strip_tags($foo));
or just:
$foo = htmlentities($foo);
if you need to "white list" some tags use an alias (like [b]bold[/b],
etc) and then str_replace (as done by many web applications)
tonu: imho this thread is well suited for webappsec but not for fd or
bt, also can you remove the word "vulnerability" from the subject of
this type of mails?
don't misunderstand me, i like informative mails and yours efforts, just
post on the right mailing list : )
regards, ascii, http://www.ush.it
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- References:
- [Full-disclosure] strip_tags() but not only vulnerability
- From: Tõnu Samuel
- [Full-disclosure] strip_tags() but not only vulnerability
- Prev by Date: Re: [Full-disclosure] Java integer overflows (was: a really long topic)
- Next by Date: Re: [Full-disclosure] Phish Registry
- Previous by thread: [Full-disclosure] strip_tags() but not only vulnerability
- Next by thread: RE: [Full-disclosure] Hello everyone
- Index(es):
Relevant Pages
|
|
