Good on you for actually doing input validation at all. In the past, I've pulled off deep evil by taking advantage of a lack of validation at places like the NIH's website.
yup, I even have my own system for dealing with cross-site scripting :) When tags are allowed, I pass everything through html tidy first, and then filter for the naughty stuff. I have tested it against all known XSS methods, but I may still have some work to do on it since I'm using a blacklist filter, rather than the recommended method of using a whitelist. Using tidy of course has the added benefit that my pages are still valid xhtml, even when users put in invalid html.
pulled off deep evil by taking advantage.. yes, I think I remember a post to that effect
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
Re: just one question....
Date: 2005-02-18 11:21 pm (UTC)hehe :)
Re: just one question....
Date: 2005-02-18 11:46 pm (UTC)Re: just one question....
Date: 2005-02-19 07:18 am (UTC)When tags are allowed, I pass everything through html tidy first, and then filter for the naughty stuff. I have tested it against all known XSS methods, but I may still have some work to do on it since I'm using a blacklist filter, rather than the recommended method of using a whitelist. Using tidy of course has the added benefit that my pages are still valid xhtml, even when users put in invalid html.
pulled off deep evil by taking advantage..
yes, I think I remember a post to that effect