lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


I would like to note, that blacklisting is a weak form of security.
PHP's strip_tag is notoriously prone to XSS attacks, which is why
libraries such as HtmlPurifier [1] exists. The best strategy is of
course to avoid taking HTML as input, but if you must, then you need
something that parses the HTML into an internal object model, run the
validation on this and finally write it back out to HTML. You can use
htmltidy [2] and an XML-parser for the first part.
You may find the XSS Cheatsheet [3] helpful for testing.

[1] http://htmlpurifier.org/
[2] http://tidy.sourceforge.net/
[3] http://ha.ckers.org/xss.html

--
troels