[Cialug] XSS input filtering

Barry Von Ahsen barry at vonahsen.com
Wed Nov 7 08:03:09 CST 2012


obMencken:

For every complex problem there is an answer that is clear, simple, and wrong.

-barry


On Nov 7, 2012, at 7:58 AM, Josh More wrote:

> Anytime you think you've found a simple solution to a security problem that
> has plagued the industry for over a decade, you're wrong.
> 
> tl;dr: Fix your code.
> 
> ;)
> 
> -Josh
> 
> 
> 
> On Wed, Nov 7, 2012 at 7:53 AM, Barry Von Ahsen <barry at vonahsen.com> wrote:
> 
>> I have not - it looks simple, but also looks like it has a few issues, but
>> what doesn't
>> 
>> there is also the OWASP ESAPI project -
>> https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API -
>> more complicated, but I'd wager more comprehensive too
>> 
>> mod_security can also help with reflected XSS, but not so much with
>> persistent XSS (last I checked)
>> 
>> 
>> I'm guessing both give what you're willing to put in to them, but this
>> area his hard - sometimes you want html inputs (tinymce/fckeditor areas,
>> punycode, etc), just not all of it.  then you're into writing your own
>> regexes (or using the dodgy-looking user contributed functions on the
>> strip_tags php page)
>> 
>> bring on the 'PHP is teh sux' chorus…
>> 
>> 
>> -barry
>> 
>> 
>> 
>> On Nov 7, 2012, at 6:35 AM, Dave Hala Jr wrote:
>> 
>>> Anyone had any success using the php strip_tags function for input
>>> filtering?  It looks like a simple solution for filtering input and
>>> output and avoiding XSS issues.
>>> 
>>> 
>>> :) Dave
>>> 
>>> _______________________________________________
>>> Cialug mailing list
>>> Cialug at cialug.org
>>> http://cialug.org/mailman/listinfo/cialug
>> 
>> _______________________________________________
>> Cialug mailing list
>> Cialug at cialug.org
>> http://cialug.org/mailman/listinfo/cialug
>> 
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug



More information about the Cialug mailing list