Rohan Shenoy Posted July 10, 2008 Share Posted July 10, 2008 Hi guyz, I am working on my website where I need to prevent cross site scripting attacks. I do not want to use htmlspecialchars(), htmlentities() or any strip_tags() because I need to be able to post images and other HTML formatting. At present this is how I do it $prohibitedstrings=array("<script","<script","%3Cscript","<link","<link","%3Clink"); $_GET=str_ireplace($prohibitedstrings,'',$_GET); $_POST=str_ireplace($prohibitedstrings,'',$_POST); Are there any more patterns I should add to the '$prohibitedstrings' array? After observing these precautions are there any other loopholes through XSS can be exploited? Thank you! -Rohan Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.