in reply to Re: Preventing Cross-site Scripting Attacks
in thread Preventing Cross-site Scripting Attacks
I was pointing out the dangers of user-permitted HTML markup many years ago
when I talked about how I was including Barney the Dinosaur into guestbooks
on my home page.
update: Thanks to mdillon for the link for tilly's node.
I don't think there's a completely secure solution. tilly wrote a fairly nice strongbox solution that permits very carefully a subset of HTML, but it's more in the "only permitted things allowed" realm than the "look for bad things and prevent them" realm. Given the risk, I'd say this is the right approach.
-- Randal L. Schwartz, Perl hacker
update: Thanks to mdillon for the link for tilly's node.
|
---|
Replies are listed 'Best First'. | |
---|---|
Re: Re: Re: Preventing Cross-site Scripting Attacks
by mdillon (Priest) on Feb 23, 2002 at 02:13 UTC |
In Section
Meditations