Reputation: 2702
html dangerous tags to avoid while developing a chat application
I am developing a chat application using PHP and jQuery... all messages sent by the chat pair are appended to a <div>. While doing this, I found that tags such as <script> can be entered by users. What tags should I avoid while appending the user's message?
Upvotes: 4
Views: 7204
Answers (2)
Reputation: 677
Avoid tags that will inject content into the page:
- applet
- script
- style
- link
- iframe
Other tags may be necessary to remove, as well. Maybe you don't want to embed images. These are things that you will need to determine. At the bare minimum, allow <p> and <br />.
Upvotes: 10
Reputation: 368
You should never use any black-list approach (which basically bans bad items), because there is always a chance that you either forget something, or that hackers will find a way to bypass your blacklist (eg. by using unicode). Instead, try using white-list approach, that is, create a set of acceptable tags and ban everything else.
Upvotes: 8
Related Questions
- Best html tag to use to display chat text messages?
- Is it OK to use unknown HTML tags?
- Is it safe to create Custom HTML Tags?
- How to Disable Html codes in chat script
- HTML Chat : Is appending text the best/only way?
- what kind of code can damage my site
- Chat Application using PHP; Code Correction
- Where can I find a very concise list of the html tags that should not be used
- Apart from <script> tags, what should I strip to make sure user-entered HTML is safe?
- Unsafe Html