Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > HTML > Injecting code in HTML

Reply
Thread Tools

Injecting code in HTML

 
 
Simon
Guest
Posts: n/a
 
      05-25-2005
Hi,

I am trying to write a class in php that removes possible injections in user
given html, (from a <textarea>).
I realize that I could prevent any HTML code '<' and '>' but that would,
(IMHO), be a bit of an overkill.
I don't want to limit html for the sake of a handful of bad elements.

but before I do that I need to work out what is potentially malicious and
what is not.

My first assertion is that the html tags, (<a>, <table> etc...), in
themselves are not a potential danger, (Apart of course for <script>). By
that I mean there is no tag that can make my server behave in a certain way,
only the elements in the tag can be hurtful.

My second assertion is that the element 'style="...", in any tag, cannot
contain any malicious code, (that is for example contain any donkey(...)
etc), so I would be right in allowing any style="...", id="..." and
class="..." elements.

Are my above assertions right?
And where would I be able to find a more detailed article on the possible
dangers of HTML tags and elements?

I do realize that php can have it's own problems, but I would like to limit
myself to 'normal' html.

Many thanks in advance.

Simon


 
Reply With Quote
 
 
 
 
Adrienne
Guest
Posts: n/a
 
      05-25-2005
Gazing into my crystal ball I observed "Simon" <(E-Mail Removed)>
writing in news:(E-Mail Removed):

> Hi,
>
> I am trying to write a class in php that removes possible injections in
> user given html, (from a <textarea>).
> I realize that I could prevent any HTML code '<' and '>' but that
> would, (IMHO), be a bit of an overkill.
> I don't want to limit html for the sake of a handful of bad elements.
>
> but before I do that I need to work out what is potentially malicious
> and what is not.
>
> My first assertion is that the html tags, (<a>, <table> etc...), in
> themselves are not a potential danger, (Apart of course for <script>).
> By that I mean there is no tag that can make my server behave in a
> certain way, only the elements in the tag can be hurtful.
>
> My second assertion is that the element 'style="...", in any tag,
> cannot contain any malicious code, (that is for example contain any
> donkey(...) etc), so I would be right in allowing any style="...",
> id="..." and class="..." elements.
>
> Are my above assertions right?
> And where would I be able to find a more detailed article on the
> possible dangers of HTML tags and elements?
>
> I do realize that php can have it's own problems, but I would like to
> limit myself to 'normal' html.
>
> Many thanks in advance.
>
> Simon
>
>
>


If you're working with a database, beware of SQL Injection, ie:

<textarea>DROP TABLE</textarea>
http://www.securiteam.com/securityre...DP0N1P76E.html has some good
information.

--
Adrienne Boswell
http://www.cavalcade-of-coding.info
Please respond to the group so others can share
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Injecting a piece of html in all applications in IIS rh.krish@gmail.com ASP .Net 1 09-18-2008 06:57 PM
Parametric module or injecting code via class method? Trans Ruby 19 03-28-2008 07:04 AM
Injecting code into a function George Sakkis Python 17 04-26-2005 05:35 PM
Re: Injecting html Cowboy \(Gregory A. Beamer\) ASP .Net 0 04-13-2004 02:02 PM
Injecting code into the <head></head> section Brian W ASP .Net 10 07-02-2003 07:53 PM



Advertisments