Posted by Steve on 10/24/07 21:25

<joey.powell@topscene.com> wrote in message
news:1193259536.723095.170020@i13g2000prf.googlegroups.com...
> On Oct 24, 12:06 pm, "Sanders Kaufman" <bu...@kaufman.net> wrote:
>> "Michael Fesser" <neti...@gmx.de> wrote in message
>>
>> news:m6lsh3l272au3th4dapinh8ijdv3nvfkf3@4ax.com...
>>
>> > .oO(joey.pow...@topscene.com)
>>
>> >>I have a web app with two textboxes. The first textbox allows users to
>> >>type in various text, html tags and CSS. The second textbox, on post
>> >>back, will display/markup the text entered from the first textbox. The
>> >>idea is that users can insert their own "descriptions" for items
>> >>maintained by the website. Obviously if I am going to do something
>> >>like this I should be careful, with the threat of XSS attacks, etc...
>>
>> > Instead of allowing them to use full HTML, you should consider to use
>> > something like BBCode for example. Give them just the things they need,
>> > not more.
>>
>> > With full HTML there are _many_ different ways to include scripting.
>> > It's very hard to block them all, so you shouldn't allow it at all.
>>
>> I just got fiished struggling with that very thing.
>> I finally decided to allow HTML - but only a couple of tags.
>> I built a simple regex that makes sure that anything within <> is a P, H,
>> I,
>> B - and that's it.
>>
>>
>>
>>
>>
>> > Micha- Hide quoted text -
>>
>> - Show quoted text -
>
> So do you have a simple expression that will match on "<script>" (omit
> the double quotes)?

google.

[Back to original message]