Interesting initiative. My approach is to "disable, unless". I essentially block all html tags except a few that I specifiy explicitly, i.e. p,u,li,b,i. This seems obvious, but I have seen designs that do things the other way around: filtering everything potentially dangerous, leading to large exclusion lists.
Furthermore, it is of course important to disable script tags, along with every other syntax that allows the insertion of javascript, Flash, and the like.
A final thing which comes to mind, that I have not checked yet, is to see if other representations of a tag are filtered correctly. For example, the script tag can be written as <script>, but also using escape chars, Unicode chars, or combinations of the above. Will your filter script block all variations?
Oh, and do run the filter on all sorts of input, not just fields. Do not forget your querystrings for example.
Not a perfect fit example, but hopefully some useful pointers?
PS: In both PHP and .NET there are ready-made/built-in protection methods for these kind of things. Not to dismiss Domino, just to provide information :)
Jake,
Interesting initiative. My approach is to "disable, unless". I essentially block all html tags except a few that I specifiy explicitly, i.e. p,u,li,b,i. This seems obvious, but I have seen designs that do things the other way around: filtering everything potentially dangerous, leading to large exclusion lists.
Furthermore, it is of course important to disable script tags, along with every other syntax that allows the insertion of javascript, Flash, and the like.
A final thing which comes to mind, that I have not checked yet, is to see if other representations of a tag are filtered correctly. For example, the script tag can be written as <script>, but also using escape chars, Unicode chars, or combinations of the above. Will your filter script block all variations?
Oh, and do run the filter on all sorts of input, not just fields. Do not forget your querystrings for example.
Not a perfect fit example, but hopefully some useful pointers?
PS: In both PHP and .NET there are ready-made/built-in protection methods for these kind of things. Not to dismiss Domino, just to provide information :)