This is a critical update to fix an exploit brought to my attention by
Görg Pflug of Accentive Heidelberg GMBH.
He found that an attacker could take advantage of the tag-stripping
features of safe_html() by embedding a tag-to-be-stripped in the
middle of an XSS attempt. When safe_html() strips the tag, the exploit
becomes active. His example looked like: src="java<script>:alert(123)"
The function has been updated to check for XSS conditions once more,
*after* all text replacements have been performed.
Also in this update, standard tests to prove that safe_html() is safe
against known exploits. See http://chxo.com/chxo-scripts/safe_html/
tests.php
Thanks!
Chris Snyder
csn...@chxo.com