http://blog.digitalstruct.com/2007/05/06/non-standard-html-fuels-xss-attacks/ Getting inside the mind of a php developer. Tue, 17 Jan 2012 14:59:51 +0000 hourly 1 http://wordpress.org/?v=3.3.1 http://blog.digitalstruct.com/2007/05/06/non-standard-html-fuels-xss-attacks/comment-page-1/#comment-30177 Santosh Patnaik Tue, 06 Nov 2007 09:37:02 +0000 http://blog.digitalstruct.com/2007/05/06/non-standard-html-fuels-xss-attacks/#comment-30177 Have a look at <a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/index.php" rel="nofollow">htmLawed</a>, a small and highly customizable HTML filter/purifier PHP script with anti-XSS capabilities. Have a look at htmLawed, a small and highly customizable HTML filter/purifier PHP script with anti-XSS capabilities.

]]> http://blog.digitalstruct.com/2007/05/06/non-standard-html-fuels-xss-attacks/comment-page-1/#comment-6110 Mike Willbanks Tue, 08 May 2007 16:56:48 +0000 http://blog.digitalstruct.com/2007/05/06/non-standard-html-fuels-xss-attacks/#comment-6110 @Ciprian: That is correct, in this case I was just showing an example of what was found in a real world application. The function urlencode would be the proper way to encode urls for the href tag. However, this is not always used. Essentially proper filtering + urlencode or htmlentities should be sufficient depending on the area of application. For instance if you are taking in an integer you may just want to append it to the string as long as it has been verified in that type of data. @Ciprian: That is correct, in this case I was just showing an example of what was found in a real world application. The function urlencode would be the proper way to encode urls for the href tag. However, this is not always used. Essentially proper filtering + urlencode or htmlentities should be sufficient depending on the area of application. For instance if you are taking in an integer you may just want to append it to the string as long as it has been verified in that type of data.

]]> http://blog.digitalstruct.com/2007/05/06/non-standard-html-fuels-xss-attacks/comment-page-1/#comment-6104 Ciprian Tue, 08 May 2007 15:21:48 +0000 http://blog.digitalstruct.com/2007/05/06/non-standard-html-fuels-xss-attacks/#comment-6104 You should always use urlencode to encode url entities. Space will be translated in %20, making it harmless. You should always use urlencode to encode url entities. Space will be translated in %20, making it harmless.

]]>