RE: Preventing cross site scripting

["David Cameron" <dcameron () itis-now com>]

Create a list of unacceptable tags in an array (eg applet, embed), loop through the array and generate a regexpr based 
on the array, something of the form:
<(applet)|(embed).?> and replace all instances with "".

Do the same for any possible closing tags ie:
</(applet)|(embed)> and replace all instances with "".

BTW the RegExpr may be wrong, I'm not all that hot on RegExprs, but you get the idea.

regards
David Cameron
nOw.b2b
dcameron () itis-now com

> -----Original Message-----
> From: Andrew Beverley [mailto:mail () andybev com]
> Sent: Friday, 20 June 2003 4:28 AM
> To: webappsec () securityfocus com
> Subject: Preventing cross site scripting
>
>
> I am currently writing a web application that, as a small part of it,
> needs to display an email message. Obviously the message is 
> potentially
> in html format, which to display could be sent straight to 
> the browser.
>
> I would like to know the best way of filtering out undesirable html. I
> understand the best way is to only allow acceptable 
> information, in this
> case all the different html formatting tags.
>
> However, there is a lot of tags that are acceptable. Another approach
> would be to strip out all the bad stuff such as <SCRIPT>, <OBJECT>,
> <APPLET>, and <EMBED> but this is far from ideal because of new tags
> becoming available and so on.
>
> Are there any functions available (for php) that will take a html page
> as input and strip out all nasty stuff? Does anyone have 
> suggestions as
> to how to do this as easy as possible?
>
> Thanks,
>
> Andrew Beverley