Malicious TAGS

Discussion in 'HTML' started by adyda, Sep 24, 2005.

  1. adyda

    adyda Guest

    Hy to all,

    I've developed a website using ASP (interdev)
    I've created a "forum" using an HTML area (http://www.htmlarea.com/) as
    message board to have a word like formatting tool, but now I need to cleanup
    the posted data from any script or other possible malicious tags (f.e:
    <script>,<object>,<iframe>)

    Now, I'm developing a procedure to do this, but I need to know which tags I
    need to remove from incoming data to be sure that no malicious code can be
    uploaded into my website

    Can anybody help me with a list of all "risk" TAGS?

    thanks in advance

    Adriano
    adyda, Sep 24, 2005
    #1
    1. Advertising

  2. adyda wrote:
    > Now, I'm developing a procedure to do this, but I need to know which tags
    > I need to remove from incoming data to be sure that no malicious code can
    > be uploaded into my website


    You would be better off working from the other direction. Decide what tags
    (and what attributes on those tags) that you want to *allow* and drop
    everything else. Aside from anything else, its proof against any future
    extensions (official or (more likely) otherwise) to HTML that may be
    introduced.

    --
    David Dorward <http://blog.dorward.me.uk/> <http://dorward.me.uk/>
    Home is where the ~/.bashrc is
    David Dorward, Sep 24, 2005
    #2
    1. Advertising

  3. adyda

    adyda Guest

    "David Dorward" <> wrote in message
    news:dh4hog$od3$1$...
    > You would be better off working from the other direction. Decide what tags
    > (and what attributes on those tags) that you want to *allow* and drop
    > everything else. Aside from anything else, its proof against any future
    > extensions (official or (more likely) otherwise) to HTML that may be
    > introduced.


    Yes, this maybe a best solution, but so probablythere are several more tags
    and attributes that I need to enable...
    adyda, Sep 24, 2005
    #3
  4. adyda

    Toby Inkster Guest

    adyda wrote:

    > I've created a "forum" using an HTML area (http://www.htmlarea.com/) as
    > message board to have a word like formatting tool, but now I need to cleanup
    > the posted data from any script or other possible malicious tags (f.e:
    > <script>,<object>,<iframe>)


    <img src="http://www.example.org/eve/foo" alt=""
    onload="document.location.href='http://www.example.org/eve/';">

    D'oh!

    --
    Toby A Inkster BSc (Hons) ARCS
    Contact Me ~ http://tobyinkster.co.uk/contact
    Toby Inkster, Sep 25, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Stimp

    preventing malicious user input

    Stimp, Sep 14, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    533
  2. Replies:
    0
    Views:
    871
  3. Jack Mahon

    malicious script?

    Jack Mahon, Mar 27, 2006, in forum: HTML
    Replies:
    3
    Views:
    602
    BootNic
    Mar 28, 2006
  4. IRAQI OIL IS TOO PRECIOUS

    @ Friedman is a malicious mischief monger and misleader

    IRAQI OIL IS TOO PRECIOUS, May 10, 2004, in forum: C Programming
    Replies:
    2
    Views:
    357
    Christopher Benson-Manica
    May 10, 2004
  5. Danny
    Replies:
    2
    Views:
    143
    Danny
    Jul 5, 2004
Loading...

Share This Page