Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
For my users’ profiles, I am going to let them insert HTML code, which will be displayed on their profile.
Is there any special tags I need to manually remove when they save their profile?
Besides the <script> tag, what else could be dangerous?
What else could be “dangerous”?
applet, embed, object, script and iframe should be avoided at all costs.
a and img can be problematic as they allow linking to off-site resources. They can also contain javascript: urls
Avoid letting users enter any head-tags into cotnent meant for the body. style, link, meta, title etc
You also have to be careful of attributes. Don’t allow any attribute that begins with on, as they are javascript event bindings. You also want to check any URL attributes for javascript: and data: urls.
EDITED TO ADD:
Forms and their children are also probably something to avoid as they can be used to dupe users into entering information that gets harvested by some other site.
I’d recommend using a whitelisting policy instead of blacklisting when it comes to tags and attributes, as it’s far easier to miss something with a blacklist. Also with HTML5 gaining traction there’s a whole host of new tags and attributes to watch out for.