Re: [Full-disclosure] strip_tags() but not only vulnerability

Tõnu Samuel wrote:
> Many websites are still vulnerable and similar problems happen not depending 
> on programming language too often:
> http://www.jes.ee/~tonu/strip.php

yes, if you use strip_tags() with the whitelist argument the whitelisted
tag can be misused.. the php manual warns you about this, so no news..

note that strip_tags() isn't the right function to use against xss (use
regexpr, htmlentities() or htmlspecialchars() instead)

the solution is:
$foo = htmlentities(strip_tags($foo));

or just:
$foo = htmlentities($foo);

if you need to "white list" some tags use an alias (like [b]bold[/b],
etc) and then str_replace (as done by many web applications)

tonu: imho this thread is well suited for webappsec but not for fd or
bt, also can you remove the word "vulnerability" from the subject of
this type of mails?

don't misunderstand me, i like informative mails and yours efforts, just
post on the right mailing list : )

regards, ascii, http://www.ush.it

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/