I'm trying to limit which characters can be used in the request URI using:
RewriteEngine on
RewriteCond %{REQUEST_URI} !^([a-z0-9:/\.\_\-]) [NC]
RewriteRule ^.* - [F,L]
For some reason it's not working. Any ideas?
Thanks!
Asked
Active
Viewed 413 times
1
-
Rather than creating that sort of filter yourself you might want to take a look at mod_security (http://www.modsecurity.org/). – joschi Dec 10 '10 at 12:04
1 Answers
2
Nice question. A good way to protect against XSS (cross site scripting).
This is the solution:
RewriteEngine on
RewriteCond %{REQUEST_URI} [^a-z0-9\_\:\/\.\-] [NC]
RewriteRule () - [F,L]
A shorter equivalent would be:
RewriteEngine on
RewriteRule [^a-z0-9\_\:\/\.\-] - [F,L]
Aleksandr Levchuk
- 2,465
- 3
- 22
- 41