|
|
Posted by simon on 05/24/05 02:24
"Chris B" <zen19389@REMOVEzen.co.uk> wrote in message
news:4291afc3$0$16470$db0fefd9@news.zen.co.uk...
>> Would their be some piece of code to allow me to safely and _properly_
>> parse any piece of html? where every tricks in the html books have been
>> handled?
>
>
> I think there will always be a new trick. Trying to stop someone doing
> something is generally more incentive for them to try.
I agree with you but if I remove all the onclick, onsubmit etc I should be
ok I think.
I wish there was a website/link were html holes could be pointed out.
For example where users could inject code in the $_GET and so on.
>
> One thing you could try instead of stripping all html out, is simply
> replacing < and > with something else, like #.
> The code would still appear (obviously) but wouldn't be executable.
> That is unless you don't want the html code to appear at all.. in which
> case, I have no idea :)
No, that would prevent any form of html, and it is not ideal.
All I want is to allow, (safe?) html, like fonts, underline and colours for
example.
Simon
Navigation:
[Reply to this message]
|