[nycphp-talk] sanitizing user-submitted html
Chris Snyder
chris at psydeshow.org
Sat May 31 15:17:14 EDT 2003
strip_attributes() now loops back over the html, checking for new exploits created by the replacements. If any are found it decides the post is malicious and strips all HTML tags.
Same thing with the src='javascript: checks in safe_html().
http://chxo.com/scripts/safe_html-test.php
Horray, I can let people post HTML to my sites again! Unless you find another hole in this, James...
More information about the talk
mailing list