|
|
Posted by Simon on 05/25/05 12:29
Hi,
I am trying to write a class in php that removes possible injections in user
given html, (from a <textarea>).
I realize that I could prevent any HTML code '<' and '>' but that would,
(IMHO), be a bit of an overkill.
I don't want to limit html for the sake of a handful of bad elements.
but before I do that I need to work out what is potentially malicious and
what is not.
My first assertion is that the html tags, (<a>, <table> etc...), in
themselves are not a potential danger, (Apart of course for <script>). By
that I mean there is no tag that can make my server behave in a certain way,
only the elements in the tag can be hurtful.
My second assertion is that the element 'style="...", in any tag, cannot
contain any malicious code, (that is for example contain any donkey(...)
etc), so I would be right in allowing any style="...", id="..." and
class="..." elements.
Are my above assertions right?
And where would I be able to find a more detailed article on the possible
dangers of HTML tags and elements?
I do realize that php can have it's own problems, but I would like to limit
myself to 'normal' html.
Many thanks in advance.
Simon
Navigation:
[Reply to this message]
|