[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: strip_tags - HTML tag stripper
- From: "troels knak-nielsen" <troelskn@...>
- Date: Tue, 22 Apr 2008 10:27:29 +0200
On Tue, Apr 22, 2008 at 9:54 AM, Jim Whitehead II <firstname.lastname@example.org> wrote:
> I was not advocating a blacklist versus a whitelist, since a whitelist
> is obviously more secure. This is actually what yuri's xssfilter
> library provides, and it seems to do a very solid job. That being
> said, I will look into htmlpurifier but it being a pure PHP solution
> makes it much less useful to me directly.
I mostly mentioned HtmlPurifier as a counter to strip_tags. Obviously,
it's of little use together with Lua.
I always get a little uneasy, whenever people talk about filtering
HTML. Mind you, there are situations where that's the only thing to
do, but generally speaking, you have a security problem, the moment
you let the user supply data, that you are going to display directly.
Filtering helps, but it's fundamentally a flawed solution. Just my 2€.