Re: Escape html tags and other dangerous input
From: Shabam (blislecp_at_hotmail.com)
Date: Wed, 29 Sep 2004 00:35:53 -0700
"Ben Lucas" <email@example.com> wrote in message
> To prevent this kind of injection attack, I would validate the user input
> and disallow the offending characters. If you were not using it in a
> hyperlink, I would suggest HTML Encoding it, as that would prevent the
> injection, but that doesn't help with the ampersand, and the search page
> would need to HTML Unencode it or it would affect the search results. If
> you cannot disallow the offending characters, then you will need some way
> change the ampersand on your querystring so that it is not an ampersand
> can be interpreted by the search page correctly.
Besides the following characters, which others are potentially dangerous?
Is there a complete list somewhere?
', %, #, &, !