httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From antoine <antonis...@gmail.com>
Subject Re: [users@httpd] Apache2 add module help !
Date Wed, 28 Oct 2009 20:53:20 GMT
Nick Kew wrote:
> Morten K. Poulsen wrote:
>> On Wed, 2009-10-28 at 19:06 +0200, antoine wrote:
>>> Consider that we have an html form and a php script that handles the
>>> posted data.
>>> The scenario is that the bad guy writes in the form for example
>>> "<script> ... bad javascript code </script>" and post this so when
the
>>> client get the page we have an attack.
>>
>> Apache is not the right point to protect against things like that. It
>> would be an ugly hack, which would easily be circumvented by the
>> attacker.
>>
>> Use PHP's htmlentities() or strip_tags() on the untrusted data, before
>> echoing it back to the clients. The manual pages explain how to do this.
>
> Nevertheless, mod_security offers some protection, where applications
> are problematic and can't be fixed.
>
> I don't know if it would help the OP, because I don't know the root
> cause of his problem.
>

Thank you guys for your propositions but don't focus in the security model.
In general if i use an input filter can i modify the page's static html code
before any dynamic code is inserted ??





---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message