TalkPHP - View Single Post

ryanmr · 07-26-2008, 04:20 PM

Make sure you either strip out or stop CSS like this:

HTML Code:

 .h1 {
  background-image: url( javascript: XSS() );
 }

That's a pretty big XSS vector. If you don't only allow edits to css but also to xhtml/html, I suggest using HTML Purifier - Filter your HTML the standards-compliant way!, since that will be very likely to stop major XSS vectors.

07-26-2008, 04:20 PM	#3 (permalink)
ryanmr The Contributor Join Date: Jun 2008 Location: Twin Cities, Minnesota, USA Posts: 44 Thanks: 3	Make sure you either strip out or stop CSS like this: HTML Code: .h1 { background-image: url( javascript: XSS() ); } That's a pretty big XSS vector. If you don't only allow edits to css but also to xhtml/html, I suggest using HTML Purifier - Filter your HTML the standards-compliant way!, since that will be very likely to stop major XSS vectors.