[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: strip_tags - HTML tag stripper
- From: "Jim Whitehead II" <jnwhiteh@...>
- Date: Tue, 22 Apr 2008 00:54:57 -0700
On Mon, Apr 21, 2008 at 3:46 AM, troels knak-nielsen <troelskn@gmail.com> wrote:
> I would like to note, that blacklisting is a weak form of security.
> PHP's strip_tag is notoriously prone to XSS attacks, which is why
> libraries such as HtmlPurifier [1] exists. The best strategy is of
> course to avoid taking HTML as input, but if you must, then you need
> something that parses the HTML into an internal object model, run the
> validation on this and finally write it back out to HTML. You can use
> htmltidy [2] and an XML-parser for the first part.
> You may find the XSS Cheatsheet [3] helpful for testing.
>
> [1] http://htmlpurifier.org/
> [2] http://tidy.sourceforge.net/
> [3] http://ha.ckers.org/xss.html
I was not advocating a blacklist versus a whitelist, since a whitelist
is obviously more secure. This is actually what yuri's xssfilter
library provides, and it seems to do a very solid job. That being
said, I will look into htmlpurifier but it being a pure PHP solution
makes it much less useful to me directly.
- Jim
