[Cialug] XSS input filtering

David Champion dchamp1337 at gmail.com
Wed Nov 7 08:34:06 CST 2012


Google for "php input filter". There are several options out there, some of
them are fairly simple to implement.

Don't forget about filtering your internal data as well - you should treat
it as being just as hostile as outside data, especially if you share data
with another application that you don't control.

-dc


On Wed, Nov 7, 2012 at 8:24 AM, Josh More <jmore at starmind.org> wrote:

> Pretty much what Barry said.
>
> Complexity is the bane of Security, sure, but you don't solve a complex
> problem like "my users need to use all these wacky characters" with a
> simple solution.  You need to simplify the problem as much as you can, then
> find a solution of similar simplicity.  Problems arise from the mismatch.
>
> -Josh
>
> On Wed, Nov 7, 2012 at 8:03 AM, Barry Von Ahsen <barry at vonahsen.com>
> wrote:
>
> > obMencken:
> >
> > For every complex problem there is an answer that is clear, simple, and
> > wrong.
> >
> > -barry
> >
> >
> > On Nov 7, 2012, at 7:58 AM, Josh More wrote:
> >
> > > Anytime you think you've found a simple solution to a security problem
> > that
> > > has plagued the industry for over a decade, you're wrong.
> > >
> > > tl;dr: Fix your code.
> > >
> > > ;)
> > >
> > > -Josh
> > >
> > >
> > >
> > > On Wed, Nov 7, 2012 at 7:53 AM, Barry Von Ahsen <barry at vonahsen.com>
> > wrote:
> > >
> > >> I have not - it looks simple, but also looks like it has a few issues,
> > but
> > >> what doesn't
> > >>
> > >> there is also the OWASP ESAPI project -
> > >>
> https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API-
> > >> more complicated, but I'd wager more comprehensive too
> > >>
> > >> mod_security can also help with reflected XSS, but not so much with
> > >> persistent XSS (last I checked)
> > >>
> > >>
> > >> I'm guessing both give what you're willing to put in to them, but this
> > >> area his hard - sometimes you want html inputs (tinymce/fckeditor
> areas,
> > >> punycode, etc), just not all of it.  then you're into writing your own
> > >> regexes (or using the dodgy-looking user contributed functions on the
> > >> strip_tags php page)
> > >>
> > >> bring on the 'PHP is teh sux' chorus…
> > >>
> > >>
> > >> -barry
> > >>
> > >>
> > >>
> > >> On Nov 7, 2012, at 6:35 AM, Dave Hala Jr wrote:
> > >>
> > >>> Anyone had any success using the php strip_tags function for input
> > >>> filtering?  It looks like a simple solution for filtering input and
> > >>> output and avoiding XSS issues.
> > >>>
> > >>>
> > >>> :) Dave
> > >>>
> > >>> _______________________________________________
> > >>> Cialug mailing list
> > >>> Cialug at cialug.org
> > >>> http://cialug.org/mailman/listinfo/cialug
> > >>
> > >> _______________________________________________
> > >> Cialug mailing list
> > >> Cialug at cialug.org
> > >> http://cialug.org/mailman/listinfo/cialug
> > >>
> > > _______________________________________________
> > > Cialug mailing list
> > > Cialug at cialug.org
> > > http://cialug.org/mailman/listinfo/cialug
> >
> > _______________________________________________
> > Cialug mailing list
> > Cialug at cialug.org
> > http://cialug.org/mailman/listinfo/cialug
> >
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>


More information about the Cialug mailing list