[TYPO3-dev] Removing strip_tags dangerous?
JoH
info at cybercraft.de
Fri Oct 19 11:52:47 CEST 2007
>>> no, because htmlspecialchars will encode <> signs
>>
>> No good idea!
>> http://applesoup.googlepages.com/bypass_filter.txt
>>
>> Maybe the security team should check this out ...
>>
>> HTH
>>
>> Joey
>>
> for XSS there is a function, maybe this should called anyway:
> $this->cObj->removeBadHTML
Doesn't help in this case, since the bad HTML is generated on the client
side using specially encoded characters that don't look like HTML at all.
As far as I understood the problem seems to be that there is no pattern one
could search for to replace or remove the characters.
The only appropriate solution seems to be a regular expression that will be
applied after removeBadHTML.
Other ideas?
Joey
More information about the TYPO3-dev
mailing list