Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    New to the CF scene
    Join Date
    Apr 2006
    Posts
    6
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Question Template and XSS problem

    I have a multi-site script. In this system, member can edit HTML template and javascript for web effect.

    But I'm fear XSS in javascript code. I must not remove <script> tag. Who can tell me the good method for this problem. Thank you

  • #2
    $object->toCD-R(LP); vinyl-junkie's Avatar
    Join Date
    Jun 2003
    Posts
    3,088
    Thanks
    2
    Thanked 23 Times in 23 Posts
    Music Around The World - Collecting tips, trade
    and want lists, album reviews, & more
    SNAP to it!

  • #3
    New to the CF scene
    Join Date
    Feb 2007
    Location
    Utah
    Posts
    7
    Thanks
    0
    Thanked 0 Times in 0 Posts
    str_replace() is a good, fast replacement function. However, not even regex is going to stop XSS if you are intentionally allowing users to modify the programs that will be executed in the browser.

    To be blunt, you will never stop XSS because you don't control the browser. You can limit it though by disallowing client program modification through uploads or stripping tags. I would suggest PHPs PCRE instead of its POSIX regex.

  • #4
    New to the CF scene
    Join Date
    Apr 2006
    Posts
    6
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks for reply

    The matter is:
    - Allow member use Javascript
    - Can edit HTML template

    I see www.blogger.com allow member edit template and use javascript.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •