lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu Mar 30 01:21:45 2006
From: ascii at katamail.com (ascii)
Subject: strip_tags() but not only vulnerability

T?nu Samuel wrote:
> Many websites are still vulnerable and similar problems happen not depending 
> on programming language too often:
> http://www.jes.ee/~tonu/strip.php

yes, if you use strip_tags() with the whitelist argument the whitelisted
tag can be misused.. the php manual warns you about this, so no news..

note that strip_tags() isn't the right function to use against xss (use
regexpr, htmlentities() or htmlspecialchars() instead)

the solution is:
$foo = htmlentities(strip_tags($foo));

or just:
$foo = htmlentities($foo);

if you need to "white list" some tags use an alias (like [b]bold[/b],
etc) and then str_replace (as done by many web applications)

tonu: imho this thread is well suited for webappsec but not for fd or
bt, also can you remove the word "vulnerability" from the subject of
this type of mails?

don't misunderstand me, i like informative mails and yours efforts, just
post on the right mailing list : )

regards, ascii, http://www.ush.it

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ