...

View Full Version : Template and XSS problem



114v
02-28-2007, 10:14 AM
I have a multi-site script. In this system, member can edit HTML template and javascript for web effect.

But I'm fear XSS in javascript code. I must not remove <script> tag. Who can tell me the good method for this problem. Thank you :)

vinyl-junkie
02-28-2007, 02:13 PM
str_replace (http://us2.php.net/str_replace)

elvisismymother
02-28-2007, 03:30 PM
str_replace() is a good, fast replacement function. However, not even regex is going to stop XSS if you are intentionally allowing users to modify the programs that will be executed in the browser.

To be blunt, you will never stop XSS because you don't control the browser. You can limit it though by disallowing client program modification through uploads or stripping tags. I would suggest PHPs PCRE instead of its POSIX regex.

114v
02-28-2007, 08:02 PM
Thanks for reply :)

The matter is:
- Allow member use Javascript
- Can edit HTML template

I see www.blogger.com allow member edit template and use javascript.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum