Posted by joey.powell on 10/24/07 20:58

On Oct 24, 12:06 pm, "Sanders Kaufman" <bu...@kaufman.net> wrote:
> "Michael Fesser" <neti...@gmx.de> wrote in message
>
> news:m6lsh3l272au3th4dapinh8ijdv3nvfkf3@4ax.com...
>
> > .oO(joey.pow...@topscene.com)
>
> >>I have a web app with two textboxes. The first textbox allows users to
> >>type in various text, html tags and CSS. The second textbox, on post
> >>back, will display/markup the text entered from the first textbox. The
> >>idea is that users can insert their own "descriptions" for items
> >>maintained by the website. Obviously if I am going to do something
> >>like this I should be careful, with the threat of XSS attacks, etc...
>
> > Instead of allowing them to use full HTML, you should consider to use
> > something like BBCode for example. Give them just the things they need,
> > not more.
>
> > With full HTML there are _many_ different ways to include scripting.
> > It's very hard to block them all, so you shouldn't allow it at all.
>
> I just got fiished struggling with that very thing.
> I finally decided to allow HTML - but only a couple of tags.
> I built a simple regex that makes sure that anything within <> is a P, H, I,
> B - and that's it.
>
>
>
>
>
> > Micha- Hide quoted text -
>
> - Show quoted text -

So do you have a simple expression that will match on "<script>" (omit
the double quotes)?

[Back to original message]