5 Aug
2003
5 Aug
'03
3:57 p.m.
It seems as if letting things like <scRipt> through makes the whole exercise pointless. Surely people who play these games think of things like that. You might consider using one of the existing HTML strippers out there, like stripogram (available in the squishdot distribution) or SafeHTML. Unfortunately, neither of them deals correctly with this example: <A HREF="http://example.com/comment.cgi? mycomment=<SCRIPT>malicious code</SCRIPT>">malicious code"> Click here</A> which is mentioned in the CERT advisory at http://www.cert.org/advisories/CA-2000-02.html HTH. Alex.