I am doing this. It seems to work but is it best way? Like could people still post XSS code or should this catch it all? $pattern[0] = '/script/'; $pattern[1] = '/onmouseover/'; $pattern[2] = '/onerror/'; $pattern[3] = '/onload/'; $replacement[0] = 'scr<b></b>ipt'; $replacement[1] = 'onmouse<b></b>over'; $replacement[2] = 'on<b></b>...
We have an internal web application that acts as a repository to which users can upload files. These files can be any format, including HTML pages. We have tested than in IE8, if you download an HTML file that contains some script that tries to access your cookies and, after downloading, you choose the "Open" option, the script execute...
our middle tier needs to do something to prevent </script> from appearing verbatim in javascript string. for example, in all browsers, the HTML parser in its first pass will ignore the javascript context, see the first close-script, then see garbage then see a second close-script. See: using-script-in-a-javascript-literal <HTML> <BODY> ...