Mailing List Archive
tlug.jp
Mailing List
tlug archive
tlug Mailing List Archive
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tlug] Do you whitelist or blacklist utf-8?
- Date: Wed, 23 Feb 2011 20:50:58 +0200
- From: Shmuel Fomberg <owner@example.com>
- Subject: Re: [tlug] Do you whitelist or blacklist utf-8?
- References: <4D639689.1010302@example.com> <4D63EFBC.1020900@example.com> <4D64C5DD.1040607@example.com> <4D64CB49.10906@example.com> <4D652AF5.10304@example.com>
- User-agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7
Hi Dave.
but first you need to tell us something about your data. is the user allowed to enter HTML tags?Nope. I want to be real strict. They get: No punctuation at all. Only spaces, no other white space (tabs, line feed characters, or anything else). They can have 0-9a-zA-Z, and anything above the ASCII range (taking into account what you wrote above).
Then you are pretty safe from XSS. All these attacks are basically injecting unwanted html tags to your site. if you don't allow any pun, then no tags can be injected. Shmuel.
- Follow-Ups:
- Re: [tlug] Do you whitelist or blacklist utf-8?
- From: Nikolay Elenkov
- Re: [tlug] Do you whitelist or blacklist utf-8?
- References:
- [tlug] Do you whitelist or blacklist utf-8?
- From: Dave M G
- Re: [tlug] Do you whitelist or blacklist utf-8?
- From: Shmuel Fomberg
- Re: [tlug] Do you whitelist or blacklist utf-8?
- From: Dave M G
- Re: [tlug] Do you whitelist or blacklist utf-8?
- From: Shmuel Fomberg
- Re: [tlug] Do you whitelist or blacklist utf-8?
- From: Dave M G
- [tlug] Do you whitelist or blacklist utf-8?
- Prev by Date: Re: [tlug] cacert question
- Next by Date: Re: [tlug] cacert question
- Previous by thread: Re: [tlug] Do you whitelist or blacklist utf-8?
- Next by thread: Re: [tlug] Do you whitelist or blacklist utf-8?
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |