|
|
Posted by Sanders Kaufman on 10/24/07 17:06
"Michael Fesser" <netizen@gmx.de> wrote in message
news:m6lsh3l272au3th4dapinh8ijdv3nvfkf3@4ax.com...
> .oO(joey.powell@topscene.com)
>
>>I have a web app with two textboxes. The first textbox allows users to
>>type in various text, html tags and CSS. The second textbox, on post
>>back, will display/markup the text entered from the first textbox. The
>>idea is that users can insert their own "descriptions" for items
>>maintained by the website. Obviously if I am going to do something
>>like this I should be careful, with the threat of XSS attacks, etc...
>
> Instead of allowing them to use full HTML, you should consider to use
> something like BBCode for example. Give them just the things they need,
> not more.
>
> With full HTML there are _many_ different ways to include scripting.
> It's very hard to block them all, so you shouldn't allow it at all.
I just got fiished struggling with that very thing.
I finally decided to allow HTML - but only a couple of tags.
I built a simple regex that makes sure that anything within <> is a P, H, I,
B - and that's it.
>
> Micha
[Back to original message]
|