Why use a whitelist for HTML sanitizing?
Posted
by Carson Myers
on Stack Overflow
See other posts from Stack Overflow
or by Carson Myers
Published on 2010-03-19T08:09:51Z
Indexed on
2010/03/19
8:21 UTC
Read the original article
Hit count: 524
I've often wondered -- why use a whitelist as opposed to a blacklist when sanitizing HTML input?
How many sneaky HTML tricks are there to open XSS vulnerabilities? Obviously script tags and frames are not allowed, and a whitelist would be used on the fields in HTML elements, but why disallow most of everything?
© Stack Overflow or respective owner