Reply to Re: XSS: Ways to disguise JavaScript tags? — PHP Programming Language

Posted by Chung Leong on 12/17/05 21:25

Method 1: Use "javascript:" in URLs.

Example: <img src="javascript: [do stuff here] ">

IE will blissfully execute the line.

Method 2: Put Javascript into handlers.

Example: <img onerror=" [do stuff here] " src="bobo.gif">

Method 3: Insert <script> in between letters of "script".

Example: <scr<script>ipt> .... </sc<script>ript>

After your code removes the bogus script tags, the ones that does
the real damage will reform.

Allowing users to inject HTML into your pages is asking for trouble.
Even if you managed to filter out all Javascript, there are still
plenty of other tricks that can be played: inner frames, base tags, CSS
positioning, ActiveX controls, etc..

Just make sure plain text fields are always passed through
htmlspecialchars() before output, then you're safe.

[Back to original message]

Удаленная работа для программистов • Как заработать на Google AdSense • England, UK • статьи на английском • PHP MySQL CMS Apache Oscommerce • Online Business Knowledge Base • DVD MP3 AVI MP4 players codecs conversion help

Home • Search • Site Map • Set as Homepage • Add to Favourites

Сайт изготовлен в Студии Валентина Петручека —
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация