|
Posted by Adrienne on 05/25/05 21:31
Gazing into my crystal ball I observed "Simon" <spambucket@myoddweb.com>
writing in news:3fiut9F7s7lpU1@individual.net:
> Hi,
>
> I am trying to write a class in php that removes possible injections in
> user given html, (from a <textarea>).
> I realize that I could prevent any HTML code '<' and '>' but that
> would, (IMHO), be a bit of an overkill.
> I don't want to limit html for the sake of a handful of bad elements.
>
> but before I do that I need to work out what is potentially malicious
> and what is not.
>
> My first assertion is that the html tags, (<a>, <table> etc...), in
> themselves are not a potential danger, (Apart of course for <script>).
> By that I mean there is no tag that can make my server behave in a
> certain way, only the elements in the tag can be hurtful.
>
> My second assertion is that the element 'style="...", in any tag,
> cannot contain any malicious code, (that is for example contain any
> donkey(...) etc), so I would be right in allowing any style="...",
> id="..." and class="..." elements.
>
> Are my above assertions right?
> And where would I be able to find a more detailed article on the
> possible dangers of HTML tags and elements?
>
> I do realize that php can have it's own problems, but I would like to
> limit myself to 'normal' html.
>
> Many thanks in advance.
>
> Simon
>
>
>
If you're working with a database, beware of SQL Injection, ie:
<textarea>DROP TABLE</textarea>
http://www.securiteam.com/securityreviews/5DP0N1P76E.html has some good
information.
--
Adrienne Boswell
http://www.cavalcade-of-coding.info
Please respond to the group so others can share
[Back to original message]
|