Page 3 of 3

Posted: Sat Jul 08, 2006 1:45 pm
by s.dot
Feyd wrote me a nice HTML sanitizer, which includes a default blacklist of "bad tags" and "bad attributes". I am not sure the liscense on that, as I paid for it, and I'm not sure how he uses it. But you might want to ask him for the default blacklist for his 'cleanTags' project.

Posted: Wed Jul 12, 2006 12:23 am
by wei
There are many possibilities to inject malicious code into html, see

http://ha.ckers.org/xss.html

For php the safehtml tool is quite good and is faster than your usually regexp checks (which are not really safe either).

http://pixel-apes.com/safehtml/

and it tried to convert nasty code to valid xhtml as well.

Posted: Thu Jul 20, 2006 10:09 am
by Bigun
wei wrote:There are many possibilities to inject malicious code into html, see

http://ha.ckers.org/xss.html

For php the safehtml tool is quite good and is faster than your usually regexp checks (which are not really safe either).

http://pixel-apes.com/safehtml/

and it tried to convert nasty code to valid xhtml as well.
That safehtml tool looks great, but I don't see any documentation for implementation...