[TYPO3-dev] Removing strip_tags dangerous?

Steffen Kamper steffen at sk-typo3.de
Fri Oct 19 12:10:16 CEST 2007


> Doesn't help in this case, since the bad HTML is generated on the client
> side using specially encoded characters that don't look like HTML at all.
> As far as I understood the problem seems to be that there is no pattern 
> one could search for to replace or remove the characters.
>
> The only appropriate solution seems to be a regular expression that will 
> be applied after removeBadHTML.
>
> Other ideas?
>
> Joey
>

i checked it with one of this example, in alt tag:
<font face="xyz[0xC0]">buried</font><font face="abc onmouseover=alert() 
s=[0xC0]">exploited</font>

the produced html is
alt="&lt;font face=&quot;xyz[0xC0]&quot;&gt;buried&lt;/font&gt;&lt;font 
face=&quot;abc onmouseover=alert() 
s=[0xC0]&quot;&gt;exploited&lt;/font&gt;"so i don't see a vulnerable thing 
her - it's never executed.vg  Steffen 






More information about the TYPO3-dev mailing list