[nycphp-talk] User Input Data scrubbing
Michele Waldman
mmwaldman at nyc.rr.com
Fri Nov 28 16:51:04 EST 2008
I checked out http://htmlpurifier.org
They stripped <script> alert('hi'); </script> out of the input.
I convert that to text and display it as text. I don't like the removal of
that.
Michele
-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of Chris Shiflett
Sent: Friday, November 28, 2008 3:47 PM
To: NYPHP Talk
Subject: Re: [nycphp-talk] User Input Data scrubbing
On Nov 28, 2008, at 15:26, Elijah Insua wrote:
> Html/Cross Site Scripting is more along the lines of what you are
> talking about. There are tons of libraries out there that attempt
> to kill off as many of these as possible.
The best one of these happens to be written in PHP:
http://htmlpurifier.org/
If your needs are extremely simple, HTML Purifier might be more than
you need, in which case a simple solution like this might work:
http://shiflett.org/blog/2007/mar/allowing-html-and-preventing-xss
Hope that helps.
Chris
--
Chris Shiflett
http://shiflett.org/
_______________________________________________
New York PHP User Group Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org/show_participation.php
More information about the talk
mailing list