[Cialug] XSS input filtering
Dave Hala Jr
dave at 58ghz.net
Wed Nov 7 19:42:22 CST 2012
Thanks Eric, this is what I was looking for.
On Wed, 2012-11-07 at 18:57 -0600, Eric Junker wrote:
> The advice that I've always followed is: Filter Input, Escape Output.
>
> For filtering XSS attacks use strip_tags() but for general purpose input
> filtering see PHP's built-in input filtering:
> http://us3.php.net/manual/en/book.filter.php
>
> If you need to allow certain HTML tags but strip others, you really
> should use something like HTMLPurifier http://htmlpurifier.org/ which
> will not only let you white list HTML tags but also HTML attributes.
>
> To escape XSS attacks, you use htmlentities(). Keep in mind that when
> using htmlentities() you really need to call it like this:
> htmlentities($data, ENT_QUOTES, 'UTF-8'); so that it will escape quotes
> and know which character encoding to use. If you don't specify a
> character encoding, XSS attacks that use UTF-7 are possible.
>
> Chris Shiflett is "the man" when it comes to PHP security. Here are a
> few of his articles:
>
> http://shiflett.org/articles/cross-site-scripting
> http://shiflett.org/blog/2007/may/character-encoding-and-xss
>
> Eric
>
> On 11/7/2012 6:35 AM, Dave Hala Jr wrote:
> > Anyone had any success using the php strip_tags function for input
> > filtering? It looks like a simple solution for filtering input and
> > output and avoiding XSS issues.
> >
> >
> > :) Dave
> >
> > _______________________________________________
> > Cialug mailing list
> > Cialug at cialug.org
> > http://cialug.org/mailman/listinfo/cialug
> >
>
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
More information about the Cialug
mailing list