What is 'harmful' HTML?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

Feyd wrote me a nice HTML sanitizer, which includes a default blacklist of "bad tags" and "bad attributes". I am not sure the liscense on that, as I paid for it, and I'm not sure how he uses it. But you might want to ask him for the default blacklist for his 'cleanTags' project.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
wei
Forum Contributor
Posts: 140
Joined: Wed Jul 12, 2006 12:18 am

Post by wei »

There are many possibilities to inject malicious code into html, see

http://ha.ckers.org/xss.html

For php the safehtml tool is quite good and is faster than your usually regexp checks (which are not really safe either).

http://pixel-apes.com/safehtml/

and it tried to convert nasty code to valid xhtml as well.
Bigun
Forum Contributor
Posts: 237
Joined: Tue Jun 13, 2006 10:50 am

Post by Bigun »

wei wrote:There are many possibilities to inject malicious code into html, see

http://ha.ckers.org/xss.html

For php the safehtml tool is quite good and is faster than your usually regexp checks (which are not really safe either).

http://pixel-apes.com/safehtml/

and it tried to convert nasty code to valid xhtml as well.
That safehtml tool looks great, but I don't see any documentation for implementation...
Post Reply