httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From antoine <>
Subject Re: [users@httpd] Apache2 add module help !
Date Wed, 28 Oct 2009 20:53:20 GMT
Nick Kew wrote:
> Morten K. Poulsen wrote:
>> On Wed, 2009-10-28 at 19:06 +0200, antoine wrote:
>>> Consider that we have an html form and a php script that handles the
>>> posted data.
>>> The scenario is that the bad guy writes in the form for example
>>> "<script> ... bad javascript code </script>" and post this so when
>>> client get the page we have an attack.
>> Apache is not the right point to protect against things like that. It
>> would be an ugly hack, which would easily be circumvented by the
>> attacker.
>> Use PHP's htmlentities() or strip_tags() on the untrusted data, before
>> echoing it back to the clients. The manual pages explain how to do this.
> Nevertheless, mod_security offers some protection, where applications
> are problematic and can't be fixed.
> I don't know if it would help the OP, because I don't know the root
> cause of his problem.

Thank you guys for your propositions but don't focus in the security model.
In general if i use an input filter can i modify the page's static html code
before any dynamic code is inserted ??

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message