I think, the main problem is, that a CSS-Attack contains HTML and Javascipt. So it is code, inside the body. Do you see my point? :-)) It is very hard to explain. I mean, the www consists of HTML pages. All PHP and CGI scripts disgorge HTML Pages. And so you cannot filter these syntax because it is a part of it. Hmm, I think i'm very bad in trying to explain a problem, sorry.
Greetings Dominik At 03:17 12.03.02 +1100, Nik Cubrilovic wrote: >In short, no > >----------test.php--------- ><? $test = "javascript:alert('hi')"; print "42e07d.jpg"; ?> >---------end test.php------- > >will still execute the script on the client side. The function(s) do >filter special characters, but do not fully prevent cross-site scripting. > >-Nik Cubrilovic > >On Mon, 11 Mar 2002, Steve Sobol wrote: > > > Hello folks, > > > > Using PHP, if I have a text string I want to display, is it enough to use > > htmlentities() or htmlspecialchars() > > to encode potentially dangerous characters, or do I need to take further > > precautions? > > > > http://www.php.net/manual/en/function.htmlentities.php > > > > http://www.php.net/manual/en/function.htmlspecialchars.php > > > > > > > > > > -- > > JustThe.net LLC - Steve "Web Dude" Sobol, CTO ICQ: 56972932/WebDude216 > > website: http://JustThe.net email: [EMAIL PROTECTED] phone: > 216.619.2NET > > postal: 5686 Davis Drive, Mentor On The Lake, OH 44060-2752 DalNet: ZX-2 > > -- http://www.code-foundation.de 217.229.69.207 - - [14/Oct/2001:02:29:41 +0200] "GET /MSADC/root.exe?/c+dir Microsoft? Where do you want to surf today?
<<inline: 42e07d.jpg>>