Re: strip_tags - HTML tag stripper

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: strip_tags - HTML tag stripper
From: "troels knak-nielsen" <troelskn@...>
Date: Mon, 21 Apr 2008 12:46:14 +0200

I would like to note, that blacklisting is a weak form of security.
PHP's strip_tag is notoriously prone to XSS attacks, which is why
libraries such as HtmlPurifier [1] exists. The best strategy is of
course to avoid taking HTML as input, but if you must, then you need
something that parses the HTML into an internal object model, run the
validation on this and finally write it back out to HTML. You can use
htmltidy [2] and an XML-parser for the first part.
You may find the XSS Cheatsheet [3] helpful for testing.

[1] http://htmlpurifier.org/
[2] http://tidy.sourceforge.net/
[3] http://ha.ckers.org/xss.html

--
troels

Follow-Ups:
- Re: strip_tags - HTML tag stripper, Jim Whitehead II

References:
- strip_tags - HTML tag stripper, Jim Whitehead II
- Re: strip_tags - HTML tag stripper, Bertrand Mansion

Prev by Date: Re: strip_tags - HTML tag stripper
Next by Date: RE: writing to binary files
Previous by thread: Re: strip_tags - HTML tag stripper
Next by thread: Re: strip_tags - HTML tag stripper
Index(es):
- Date
- Thread