I mean that you don't provide remove tab function
don't you?
My English is not very well, forgive me

2006/6/22, Ivan Ristic <ivan.ristic@gmail.com>:
On 6/22/06, j liu <normliu@gmail.com> wrote:
> Thank you very much
> and
> Embedded tab to break up the cross site scripting attack:
> <IMG SRC="jav ascript:alert('XSS');">
> Embedded encoded tab to break up XSS
> <IMG SRC="jav&#x09;ascript:alert('XSS');">
> how to prevent above?

From my head:

SecRule ARGS (javascript:|vbscript:|data:)

(Note: It is not necessary to specify anti-evasion actions with every rule.)

Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall