Malicious TAGS

[adyda]

Hy to all,

I've developed a website using ASP (interdev)
I've created a "forum" using an HTML area (http://www.htmlarea.com/) as
message board to have a word like formatting tool, but now I need to cleanup
the posted data from any script or other possible malicious tags (f.e:
<script>,<object>,<iframe>)

Now, I'm developing a procedure to do this, but I need to know which tags I
need to remove from incoming data to be sure that no malicious code can be
uploaded into my website

Can anybody help me with a list of all "risk" TAGS?

thanks in advance

Adriano

 

[David Dorward]

Now, I'm developing a procedure to do this, but I need to know which tags
I need to remove from incoming data to be sure that no malicious code can
be uploaded into my website

You would be better off working from the other direction. Decide what tags
(and what attributes on those tags) that you want to *allow* and drop
everything else. Aside from anything else, its proof against any future
extensions (official or (more likely) otherwise) to HTML that may be
introduced.

 

[adyda]

You would be better off working from the other direction. Decide what tags
(and what attributes on those tags) that you want to *allow* and drop
everything else. Aside from anything else, its proof against any future
extensions (official or (more likely) otherwise) to HTML that may be
introduced.

Yes, this maybe a best solution, but so probablythere are several more tags
and attributes that I need to enable...

 

[Toby Inkster]

I've created a "forum" using an HTML area (http://www.htmlarea.com/) as
message board to have a word like formatting tool, but now I need to cleanup
the posted data from any script or other possible malicious tags (f.e:
<script>,<object>,<iframe>)

<img src="http://www.example.org/eve/foo" alt=""
onload="document.location.href='http://www.example.org/eve/';">

D'oh!