Safe cleansing of html

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Safe cleansing of html

Jolle Carlestam-2
Is it safe to assume that if I replace any < with &#60; and any > with &#62; the resulting text can be sent to a browser and not do any harm?

HDB
Jolle

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Safe cleansing of html

Bil Corry-3
It depends on the context in which the user content appears.  If it's
straight content, with a proper HTML doctype with a declared character
encoding, then your solution should be all you need to do.

If you place the user content into a JavaScript variable, CSS directives,
HTML attributes, TEXTAREA, etc, then the advice changes depending on the
context.

Also keep in mind that even if the user can't execute script, the user can
type anything they want, so they could put "Get a free membership to this
site, please email [hidden email] with your username and
password."  You'll want to ensure user content that is visible to other
users is always delineated as such.


- Bil


On Mon, Jul 18, 2016 at 10:06 AM, Jolle Carlestam <[hidden email]>
wrote:

> Is it safe to assume that if I replace any < with &#60; and any > with
> &#62; the resulting text can be sent to a browser and not do any harm?
>
> HDB
> Jolle
>
> #############################################################
>
> This message is sent to you because you are subscribed to
>   the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>
>

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>