[Cialug] XSS input filtering

Josh More jmore at starmind.org
Wed Nov 7 07:58:10 CST 2012


Anytime you think you've found a simple solution to a security problem that
has plagued the industry for over a decade, you're wrong.

tl;dr: Fix your code.

;)

-Josh



On Wed, Nov 7, 2012 at 7:53 AM, Barry Von Ahsen <barry at vonahsen.com> wrote:

> I have not - it looks simple, but also looks like it has a few issues, but
> what doesn't
>
> there is also the OWASP ESAPI project -
> https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API -
> more complicated, but I'd wager more comprehensive too
>
> mod_security can also help with reflected XSS, but not so much with
> persistent XSS (last I checked)
>
>
> I'm guessing both give what you're willing to put in to them, but this
> area his hard - sometimes you want html inputs (tinymce/fckeditor areas,
> punycode, etc), just not all of it.  then you're into writing your own
> regexes (or using the dodgy-looking user contributed functions on the
> strip_tags php page)
>
> bring on the 'PHP is teh sux' chorus…
>
>
> -barry
>
>
>
> On Nov 7, 2012, at 6:35 AM, Dave Hala Jr wrote:
>
> > Anyone had any success using the php strip_tags function for input
> > filtering?  It looks like a simple solution for filtering input and
> > output and avoiding XSS issues.
> >
> >
> > :) Dave
> >
> > _______________________________________________
> > Cialug mailing list
> > Cialug at cialug.org
> > http://cialug.org/mailman/listinfo/cialug
>
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>


More information about the Cialug mailing list