Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > HTML > Malicious TAGS

Reply
Thread Tools

Malicious TAGS

 
 
adyda
Guest
Posts: n/a
 
      09-24-2005
Hy to all,

I've developed a website using ASP (interdev)
I've created a "forum" using an HTML area (http://www.htmlarea.com/) as
message board to have a word like formatting tool, but now I need to cleanup
the posted data from any script or other possible malicious tags (f.e:
<script>,<object>,<iframe>)

Now, I'm developing a procedure to do this, but I need to know which tags I
need to remove from incoming data to be sure that no malicious code can be
uploaded into my website

Can anybody help me with a list of all "risk" TAGS?

thanks in advance

Adriano


 
Reply With Quote
 
 
 
 
David Dorward
Guest
Posts: n/a
 
      09-24-2005
adyda wrote:
> Now, I'm developing a procedure to do this, but I need to know which tags
> I need to remove from incoming data to be sure that no malicious code can
> be uploaded into my website


You would be better off working from the other direction. Decide what tags
(and what attributes on those tags) that you want to *allow* and drop
everything else. Aside from anything else, its proof against any future
extensions (official or (more likely) otherwise) to HTML that may be
introduced.

--
David Dorward <http://blog.dorward.me.uk/> <http://dorward.me.uk/>
Home is where the ~/.bashrc is
 
Reply With Quote
 
 
 
 
adyda
Guest
Posts: n/a
 
      09-24-2005

"David Dorward" <(E-Mail Removed)> wrote in message
news:dh4hog$od3$1$(E-Mail Removed)...
> You would be better off working from the other direction. Decide what tags
> (and what attributes on those tags) that you want to *allow* and drop
> everything else. Aside from anything else, its proof against any future
> extensions (official or (more likely) otherwise) to HTML that may be
> introduced.


Yes, this maybe a best solution, but so probablythere are several more tags
and attributes that I need to enable...


 
Reply With Quote
 
Toby Inkster
Guest
Posts: n/a
 
      09-25-2005
adyda wrote:

> I've created a "forum" using an HTML area (http://www.htmlarea.com/) as
> message board to have a word like formatting tool, but now I need to cleanup
> the posted data from any script or other possible malicious tags (f.e:
> <script>,<object>,<iframe>)


<img src="http://www.example.org/eve/foo" alt=""
onload="document.location.href='http://www.example.org/eve/';">

D'oh!

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
malicious script? Jack Mahon HTML 3 03-28-2006 02:05 AM
ActiveX apologetic Larry Seltzer... "Sun paid for malicious ActiveX code, and Firefox is bad, bad bad baad. please use ActiveX, it's secure and nice!" (ok, the last part is irony on my part) fernando.cassia@gmail.com Java 0 04-16-2005 10:05 PM
preventing malicious user input Stimp ASP .Net 1 09-15-2004 03:25 AM
Malicious websites bjones Computer Support 27 12-09-2003 08:02 PM
malicious forged posts in my name miss calm Computer Support 13 08-10-2003 03:18 AM



Advertisments