Injecting code in HTML

Discussion in 'HTML' started by Simon, May 25, 2005.

  1. Simon

    Simon Guest

    Hi,

    I am trying to write a class in php that removes possible injections in user
    given html, (from a <textarea>).
    I realize that I could prevent any HTML code '<' and '>' but that would,
    (IMHO), be a bit of an overkill.
    I don't want to limit html for the sake of a handful of bad elements.

    but before I do that I need to work out what is potentially malicious and
    what is not.

    My first assertion is that the html tags, (<a>, <table> etc...), in
    themselves are not a potential danger, (Apart of course for <script>). By
    that I mean there is no tag that can make my server behave in a certain way,
    only the elements in the tag can be hurtful.

    My second assertion is that the element 'style="...", in any tag, cannot
    contain any malicious code, (that is for example contain any donkey(...)
    etc), so I would be right in allowing any style="...", id="..." and
    class="..." elements.

    Are my above assertions right?
    And where would I be able to find a more detailed article on the possible
    dangers of HTML tags and elements?

    I do realize that php can have it's own problems, but I would like to limit
    myself to 'normal' html.

    Many thanks in advance.

    Simon
    Simon, May 25, 2005
    #1
    1. Advertising

  2. Simon

    Adrienne Guest

    Gazing into my crystal ball I observed "Simon" <>
    writing in news::

    > Hi,
    >
    > I am trying to write a class in php that removes possible injections in
    > user given html, (from a <textarea>).
    > I realize that I could prevent any HTML code '<' and '>' but that
    > would, (IMHO), be a bit of an overkill.
    > I don't want to limit html for the sake of a handful of bad elements.
    >
    > but before I do that I need to work out what is potentially malicious
    > and what is not.
    >
    > My first assertion is that the html tags, (<a>, <table> etc...), in
    > themselves are not a potential danger, (Apart of course for <script>).
    > By that I mean there is no tag that can make my server behave in a
    > certain way, only the elements in the tag can be hurtful.
    >
    > My second assertion is that the element 'style="...", in any tag,
    > cannot contain any malicious code, (that is for example contain any
    > donkey(...) etc), so I would be right in allowing any style="...",
    > id="..." and class="..." elements.
    >
    > Are my above assertions right?
    > And where would I be able to find a more detailed article on the
    > possible dangers of HTML tags and elements?
    >
    > I do realize that php can have it's own problems, but I would like to
    > limit myself to 'normal' html.
    >
    > Many thanks in advance.
    >
    > Simon
    >
    >
    >


    If you're working with a database, beware of SQL Injection, ie:

    <textarea>DROP TABLE</textarea>
    http://www.securiteam.com/securityreviews/5DP0N1P76E.html has some good
    information.

    --
    Adrienne Boswell
    http://www.cavalcade-of-coding.info
    Please respond to the group so others can share
    Adrienne, May 25, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Brian W
    Replies:
    10
    Views:
    753
    Brian W
    Jul 2, 2003
  2. Cowboy \(Gregory A. Beamer\)

    Re: Injecting html

    Cowboy \(Gregory A. Beamer\), Apr 13, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    389
    Cowboy \(Gregory A. Beamer\)
    Apr 13, 2004
  3. George Sakkis

    Injecting code into a function

    George Sakkis, Apr 25, 2005, in forum: Python
    Replies:
    17
    Views:
    455
    Lonnie Princehouse
    Apr 26, 2005
  4. Replies:
    1
    Views:
    645
  5. Trans
    Replies:
    19
    Views:
    176
    thufir
    Mar 28, 2008
Loading...

Share This Page