lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On Mon, Apr 21, 2008 at 3:46 AM, troels knak-nielsen <troelskn@gmail.com> wrote:
> I would like to note, that blacklisting is a weak form of security.
> PHP's strip_tag is notoriously prone to XSS attacks, which is why
> libraries such as HtmlPurifier [1] exists. The best strategy is of
> course to avoid taking HTML as input, but if you must, then you need
> something that parses the HTML into an internal object model, run the
> validation on this and finally write it back out to HTML. You can use
> htmltidy [2] and an XML-parser for the first part.
> You may find the XSS Cheatsheet [3] helpful for testing.
>
> [1] http://htmlpurifier.org/
> [2] http://tidy.sourceforge.net/
> [3] http://ha.ckers.org/xss.html

I was not advocating a blacklist versus a whitelist, since a whitelist
is obviously more secure.  This is actually what yuri's xssfilter
library provides, and it seems to do a very solid job.  That being
said, I will look into htmlpurifier but it being a pure PHP solution
makes it much less useful to me directly.

- Jim