I think, the main problem is, that a CSS-Attack contains HTML and Javascipt. So it is code, inside the body. Do you see my point? :-)) It is very hard to explain. I mean, the www consists of HTML pages. All PHP and CGI scripts disgorge HTML Pages. And so you cannot filter these syntax because it is a part of it. Hmm, I think i'm very bad in trying to explain a problem, sorry.
Greetings
Dominik
At 03:17 12.03.02 +1100, Nik Cubrilovic wrote:
>In short, no
>
>----------test.php---------
><? $test = "javascript:alert('hi')"; print "42e07d.jpg"; ?>
>---------end test.php-------
>
>will still execute the script on the client side. The function(s) do
>filter special characters, but do not fully prevent cross-site scripting.
>
>-Nik Cubrilovic
>
>On Mon, 11 Mar 2002, Steve Sobol wrote:
>
> > Hello folks,
> >
> > Using PHP, if I have a text string I want to display, is it enough to use
> > htmlentities() or htmlspecialchars()
> > to encode potentially dangerous characters, or do I need to take further
> > precautions?
> >
> > http://www.php.net/manual/en/function.htmlentities.php
> >
> > http://www.php.net/manual/en/function.htmlspecialchars.php
> >
> >
> >
> >
> > --
> > JustThe.net LLC - Steve "Web Dude" Sobol, CTO ICQ: 56972932/WebDude216
> > website: http://JustThe.net email: [EMAIL PROTECTED] phone:
> 216.619.2NET
> > postal: 5686 Davis Drive, Mentor On The Lake, OH 44060-2752 DalNet: ZX-2
> >
--
http://www.code-foundation.de
217.229.69.207 - - [14/Oct/2001:02:29:41 +0200] "GET
/MSADC/root.exe?/c+dir
Microsoft? Where do you want to surf today?
<<inline: 42e07d.jpg>>
