View Full Version : Template and XSS problem

02-28-2007, 10:14 AM
I have a multi-site script. In this system, member can edit HTML template and javascript for web effect.

But I'm fear XSS in javascript code. I must not remove <script> tag. Who can tell me the good method for this problem. Thank you :)

02-28-2007, 02:13 PM
str_replace (http://us2.php.net/str_replace)

02-28-2007, 03:30 PM
str_replace() is a good, fast replacement function. However, not even regex is going to stop XSS if you are intentionally allowing users to modify the programs that will be executed in the browser.

To be blunt, you will never stop XSS because you don't control the browser. You can limit it though by disallowing client program modification through uploads or stripping tags. I would suggest PHPs PCRE instead of its POSIX regex.

02-28-2007, 08:02 PM
Thanks for reply :)

The matter is:
- Allow member use Javascript
- Can edit HTML template

I see www.blogger.com allow member edit template and use javascript.