On Tue, May 10, 2005 14:55, Ulf Harnhammar wrote:
> Protecting against this type of attack is much more complicated than
> this. As Jeroen noted, HTML entities are interpreted, so you have to
> protect against things like "javascript:". Some browsers allow varying
> amounts of whitespace inside protocols for some reason, so you have to
> protect against "java scr ipt : ". Upper and lower characters may be an
> issue. Finally, some browsers including Mozilla store entities in integers
> so they wrap over and start again after 2**32.
So to conclude I think we have to resort to a whitelist of allowed protocols.
kses uses ('http', 'https', 'ftp', 'news', 'nntp', 'telnet', 'gopher',
'mailto') which seems like a reasonable list.
Thijs
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
