Target | News |
Subject | anti-XSS system (4) |
Summary | This is the last chapter of BigUmbrella.The code in (3) has two points should be argued.- Is the check pattern OK?preg_match( '/[<\'"].{15}/s' , $val , $regs )<img src="(REQUEST)" /><a href="(REQUEST)">If this pattern exists, it is not enough.Because "... |
やはり外部からの「HTML許可」はあり得ない設定ですね。
承認制でも事実上意味のないケースが多く見られますし。