some news

Safe_html.php Updated

Thanks to Görg Pflug, who sent me an interesting exploit for safe_html.php, your favorite HTML sanitizer has been updated to version 0.6.

His exploit embedded XSS code in such a way that when some tags were stripped by safe_html(), the exploit became active. Recombination attacks like that inspired safe_html() in the first place, so fixing the problem was straightforward: after stripping the tags, we check again for any obvious exploit attempts, and strip *everything* if found.

Remember, if you use safe_html.php or any other CHXO software, you should subscribe to our Announcements List to be informed of critical updates such as this one.

By Chris Snyder on January 29, 2007 at 10:59am


jump to top