|
|
Posted by Michael Fesser on 10/23/07 20:11
..oO(joey.powell@topscene.com)
>I have a web app with two textboxes. The first textbox allows users to
>type in various text, html tags and CSS. The second textbox, on post
>back, will display/markup the text entered from the first textbox. The
>idea is that users can insert their own "descriptions" for items
>maintained by the website. Obviously if I am going to do something
>like this I should be careful, with the threat of XSS attacks, etc...
Instead of allowing them to use full HTML, you should consider to use
something like BBCode for example. Give them just the things they need,
not more.
With full HTML there are _many_ different ways to include scripting.
It's very hard to block them all, so you shouldn't allow it at all.
Micha
Navigation:
[Reply to this message]
|