[Cialug] XSS input filtering

[Dave Hala Jr]

I thought complexity was the bane of security and that keeping it simple
was always a better choice. I take it I'm missing the boat here?


On Wed, 2012-11-07 at 07:58 -0600, Josh More wrote:
> Anytime you think you've found a simple solution to a security problem that
> has plagued the industry for over a decade, you're wrong.
> 
> tl;dr: Fix your code.
> 
> ;)
> 
> -Josh
> 
> 
> 
> On Wed, Nov 7, 2012 at 7:53 AM, Barry Von Ahsen <barry at vonahsen.com> wrote:
> 
> > I have not - it looks simple, but also looks like it has a few issues, but
> > what doesn't
> >
> > there is also the OWASP ESAPI project -
> > https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API -
> > more complicated, but I'd wager more comprehensive too
> >
> > mod_security can also help with reflected XSS, but not so much with
> > persistent XSS (last I checked)
> >
> >
> > I'm guessing both give what you're willing to put in to them, but this
> > area his hard - sometimes you want html inputs (tinymce/fckeditor areas,
> > punycode, etc), just not all of it.  then you're into writing your own
> > regexes (or using the dodgy-looking user contributed functions on the
> > strip_tags php page)
> >
> > bring on the 'PHP is teh sux' chorus…
> >
> >
> > -barry
> >
> >
> >
> > On Nov 7, 2012, at 6:35 AM, Dave Hala Jr wrote:
> >
> > > Anyone had any success using the php strip_tags function for input
> > > filtering?  It looks like a simple solution for filtering input and
> > > output and avoiding XSS issues.
> > >
> > >
> > > :) Dave
> > >
> > > _______________________________________________
> > > Cialug mailing list
> > > Cialug at cialug.org
> > > http://cialug.org/mailman/listinfo/cialug
> >
> > _______________________________________________
> > Cialug mailing list
> > Cialug at cialug.org
> > http://cialug.org/mailman/listinfo/cialug
> >
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug