htmLawed in safe mode against XSS code listed in RSnake's cheat-sheet (Page 1) — htmLawed

[ Closed ] htmLawed in safe mode against XSS code listed in RSnake's cheat-sheet

PHP Labware forum → htmLawed → htmLawed in safe mode against XSS code listed in RSnake's cheat-sheet

Pages 1

You must login or register to post a reply

1 Topic by patnaik 2008-05-03 02:48:55

patnaik
Administrator
Offline

Topic: htmLawed in safe mode against XSS code listed in RSnake's cheat-sheet

Web-page illustrating anti-XSS efficacy of htmLawed with 'safe'=>1 against XSS code listed in RSnake's XSS cheat-sheet (http://ha.ckers.org/xss.html)

The 'safe' mode means that the $config parameter 'safe' is set to 1, and other parameters to over-ride any of the default parameter values implicitly used because of 'safe' are not specified.

In such cases, 'safe'=>1 is thus equivalent to the following in a $config value:

'comments'=>0, 'cdata'=>0, 
'deny_attribute'=>'on*', 
'elements'=>'*-applet-embed-iframe-object-script', 
'scheme'=>'href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet; style: nil; *:file, http, https'

Posts: 1

Pages 1

You must login or register to post a reply

PHP Labware forum → htmLawed → htmLawed in safe mode against XSS code listed in RSnake's cheat-sheet