Why use a whitelist for HTML sanitizing?

Posted by Carson Myers on Stack Overflow See other posts from Stack Overflow or by Carson Myers
Published on 2010-03-19T08:09:51Z Indexed on 2010/03/19 8:21 UTC
Read the original article Hit count: 524

Filed under:
|
|

I've often wondered -- why use a whitelist as opposed to a blacklist when sanitizing HTML input?

How many sneaky HTML tricks are there to open XSS vulnerabilities? Obviously script tags and frames are not allowed, and a whitelist would be used on the fields in HTML elements, but why disallow most of everything?

© Stack Overflow or respective owner

Related posts about html

Related posts about whitelist