On Wed, 2009-10-28 at 19:06 +0200, antoine wrote:
> Consider that we have an html form and a php script that handles the
> posted data.
> The scenario is that the bad guy writes in the form for example
> "<script> ... bad javascript code </script>" and post this so when the
> client get the page we have an attack.

Apache is not the right point to protect against things like that. It
would be an ugly hack, which would easily be circumvented by the
attacker.

Use PHP's htmlentities() or strip_tags() on the untrusted data, before
echoing it back to the clients. The manual pages explain how to do this.


Morten

-- 
Morten K. Poulsen <m...@fabletech.com>
CTO, FableTech
http://fabletech.com/


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Reply via email to