Hi guyz,
I am working on my website where I need to prevent cross site scripting attacks. I do not want to use htmlspecialchars(), htmlentities() or any strip_tags() because I need to be able to post images and other HTML formatting.
At present this is how I do it
$prohibitedstrings=array("<script","<script","%3Cscript","<link","<link","%3Clink");
$_GET=str_ireplace($prohibitedstrings,'',$_GET);
$_POST=str_ireplace($prohibitedstrings,'',$_POST);
Are there any more patterns I should add to the '$prohibitedstrings' array?
After observing these precautions are there any other loopholes through XSS can be exploited?
Thank you!
-Rohan