Todd O'Bryan wrote: > Is it not sufficient to just look for <script> and <object> tags and > filter those out? > > Are there other HTML things people can do that would pose risks?
Yes, several that I can think of right away. For example CSS injection: putting "style" markup in the elements -- can do anything from completely breaking the layout to hiding advertising. If I can do an 'img src=.... style="..."', I can replace your ads with mine (using positioning of images) or replace elements of your site with my own. If I add an "onClick", I can lead your users somewhere else. If I can put a transparent image over the "search" button on the Google homepage, with an onClick on it, I can send people to my own search/porn site. IFRAME -- "I know, I'll just include my own ads in the site" :-) Fiddling around with link targets and the status bar display (show some other URL in the status bar than where the link actually goes) again sending people somewhere else. All this may sound a bit (very?) paranoid for a small community portal site. The large number of comment spamming, SPAM and exploits against phpBB sites, etc. show that some people just don't play fair. You don't really want these people to go and write arbitrary HTML on your page. And the potential for abuse is such that if you DO allow HTML in postings, you have a lot of filtering to do. Daniel --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users -~----------~----~----~----~------~----~------~--~---