[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: strip_tags - HTML tag stripper
- From: "troels knak-nielsen" <troelskn@...>
- Date: Mon, 21 Apr 2008 12:46:14 +0200
I would like to note, that blacklisting is a weak form of security.
PHP's strip_tag is notoriously prone to XSS attacks, which is why
libraries such as HtmlPurifier  exists. The best strategy is of
course to avoid taking HTML as input, but if you must, then you need
something that parses the HTML into an internal object model, run the
validation on this and finally write it back out to HTML. You can use
htmltidy  and an XML-parser for the first part.
You may find the XSS Cheatsheet  helpful for testing.