Michael Ruebner <njus@lunchinglads.net> writes:

> Greetings,
>
> Not one to second-guess users' intentions, I like to throw back at
> them any text input that didn't make it through a couple of
> basic preg_match()'d sanity checks. This means reloading the
> form with the _unaltered_ input as respective 'value' attributes, combined
> with a friendly error message for the merely befuddled.

Sound good in theory.

> The downright
> vicious may choke on their own pathetic attempts at XSS.

*If* that's true, then the input can be used as an XSS attack -
they'll just have to lure some unsuspecting victim to the
error/feedback page you created.

> But, how sane is such an approach from a security perspective? Is there
> anything that might come around and bite me in the ass?

Either you stop things like Javascript injection with proper escaping
etc, in which case it won't be a problem, or this will definitely bite
you.

--
Joost Diepenmaat | blog: http://joost.zeekat.nl/ | work: http://zeekat.nl/