Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I read that even if you strip <script> you are still vulnerable to XSS.
Something interesting I found as an answer is this <scrip<script></script>t>alert(1337)</script>
How do you evaluate this preg match?
echo preg_replace('/<script\b[^>]*>(.*?)<\/script>/is', "", $var);
Additionally, is there any other tags I should be aware for XSS attacks?
strip_tagsis sufficient to get rid of XSS issues. But using a single regex is not, as you need to cleanse and whitelist all HTML attributes and tags. Browsers are extremely forgiving and allow even malformed HTML that’s not standards-compliant (also IE bugs). That’s why it is pretty much unfeasible to use a regex for that. (Despite the silly SO meme it is possible to match HTML with a contemporary regex language, just way too much effort.)All the regex solutions you will find are blacklists, which are not considered a reliable solution. They will miss half of the possible exploits http://ha.ckers.org/xss.html