lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On Tue, Apr 22, 2008 at 9:54 AM, Jim Whitehead II <jnwhiteh@gmail.com> wrote:
>  I was not advocating a blacklist versus a whitelist, since a whitelist
>  is obviously more secure.  This is actually what yuri's xssfilter
>  library provides, and it seems to do a very solid job.  That being
>  said, I will look into htmlpurifier but it being a pure PHP solution
>  makes it much less useful to me directly.

I mostly mentioned HtmlPurifier as a counter to strip_tags. Obviously,
it's of little use together with Lua.

I always get a little uneasy, whenever people talk about filtering
HTML. Mind you, there are situations where that's the only thing to
do, but generally speaking, you have a security problem, the moment
you let the user supply data, that you are going to display directly.
Filtering helps, but it's fundamentally a flawed solution. Just my 2€.

--
troels