Unfortunately css attacks are more complicated that that. As is generally
the case with input validation, it's flawed to try to come up with a list of
*bad* things, and filter them out - rather, you should come up with a list
of things that are ok, and *only allow* those...
IE, if i were validati
I think, the main problem is, that a CSS-Attack contains HTML and
Javascipt. So it is code, inside the body. Do you see my point? :-)) It is
very hard to explain. I mean, the www consists of HTML pages. All PHP and
CGI scripts disgorge HTML Pages. And so you cannot filter these syntax
because
At 03:17 AM 3/12/02 +1100, Nik Cubrilovic wrote:
>In short, no
>
>--test.php-
>
>-end test.php---
>
>will still execute the script on the client side. The function(s) do
>filter special characters, but do not fully prevent cross-site scripting.
How about additionally
Hello folks,
Using PHP, if I have a text string I want to display, is it enough to use
htmlentities() or htmlspecialchars()
to encode potentially dangerous characters, or do I need to take further
precautions?
http://www.php.net/manual/en/function.htmlentities.php
http://www.php.net/manual/en
In short, no
--test.php-
test
";
?>
-end test.php---
will still execute the script on the client side. The function(s) do
filter special characters, but do not fully prevent cross-site scripting.
-Nik Cubrilovic
On Mon, 11 Mar 2002, Steve Sobol wrote:
> Hello