Injecting code in HTML

S

Simon

Hi,

I am trying to write a class in php that removes possible injections in user
given html, (from a <textarea>).
I realize that I could prevent any HTML code '<' and '>' but that would,
(IMHO), be a bit of an overkill.
I don't want to limit html for the sake of a handful of bad elements.

but before I do that I need to work out what is potentially malicious and
what is not.

My first assertion is that the html tags, (<a>, <table> etc...), in
themselves are not a potential danger, (Apart of course for <script>). By
that I mean there is no tag that can make my server behave in a certain way,
only the elements in the tag can be hurtful.

My second assertion is that the element 'style="...", in any tag, cannot
contain any malicious code, (that is for example contain any donkey(...)
etc), so I would be right in allowing any style="...", id="..." and
class="..." elements.

Are my above assertions right?
And where would I be able to find a more detailed article on the possible
dangers of HTML tags and elements?

I do realize that php can have it's own problems, but I would like to limit
myself to 'normal' html.

Many thanks in advance.

Simon
 
A

Adrienne

Hi,

I am trying to write a class in php that removes possible injections in
user given html, (from a <textarea>).
I realize that I could prevent any HTML code '<' and '>' but that
would, (IMHO), be a bit of an overkill.
I don't want to limit html for the sake of a handful of bad elements.

but before I do that I need to work out what is potentially malicious
and what is not.

My first assertion is that the html tags, (<a>, <table> etc...), in
themselves are not a potential danger, (Apart of course for <script>).
By that I mean there is no tag that can make my server behave in a
certain way, only the elements in the tag can be hurtful.

My second assertion is that the element 'style="...", in any tag,
cannot contain any malicious code, (that is for example contain any
donkey(...) etc), so I would be right in allowing any style="...",
id="..." and class="..." elements.

Are my above assertions right?
And where would I be able to find a more detailed article on the
possible dangers of HTML tags and elements?

I do realize that php can have it's own problems, but I would like to
limit myself to 'normal' html.

Many thanks in advance.

Simon

If you're working with a database, beware of SQL Injection, ie:

<textarea>DROP TABLE</textarea>
http://www.securiteam.com/securityreviews/5DP0N1P76E.html has some good
information.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top