On Wed, 2009-10-28 at 19:06 +0200, antoine wrote: > Consider that we have an html form and a php script that handles the > posted data. > The scenario is that the bad guy writes in the form for example > "<script> ... bad javascript code </script>" and post this so when the > client get the page we have an attack.
Apache is not the right point to protect against things like that. It would be an ugly hack, which would easily be circumvented by the attacker. Use PHP's htmlentities() or strip_tags() on the untrusted data, before echoing it back to the clients. The manual pages explain how to do this. Morten -- Morten K. Poulsen <m...@fabletech.com> CTO, FableTech http://fabletech.com/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org