I have an application that allows users to input certain html tags via a
markup code (like ""). The
application then translates that into real html for output. I've also had
the application translate "<" to "<" and ">" to ">" to prevent direct
html input by the user.
By doing this I basically allow users to input certain html tags, while not
giving them full permission to mess with the site.
However, I was made aware of cross-site scripting flaws which allow a user
to input something like "[img]javascript:alert(document.cookie)[/img]".
This would be translated into "<img
src="javascript:alert(document.cookie)">", which obviously is not good.
My question is, besides this javascript string, what others are there to
filter for, to prevent this type of attack?