|Pathologically Eclectic Rubbish Lister|
Re: Re: Preventing Cross-site Scripting Attacksby gellyfish (Monsignor)
|on Feb 23, 2002 at 14:54 UTC||Need Help??|
are there other mechanisms that have to be addressed
Of course you can have event attributes such as onClick in certain HTML tags which could have malicious script in. On the whole the best approach as merlyn points out is to only allow a safe subset of HTML rather than attempting to remove potentially bad things.