[Cialug] XSS input filtering
Matthew Nuzum
newz at bearfruit.org
Wed Nov 7 08:58:53 CST 2012
Strip tags is a pretty solid way as long as you don't provide a second
param (the allowed_tags param). It's hard to do xss when HTML is not
allowed. However it is a very heavy-handed technique. If that works for you
then do it.
I think you'll find that the biggest problem you have other than stuff
being stripped out is that sometimes you'll forget to strip fields or one
field that needs tags in it will miss a corner case. :-(
A technique I use for the most important tasks is to mitigate the impact of
an XSS. For example, use a different domain for all management tasks than
you do for viewing the site.
Another technique is to never display user provided content. For example, I
do something like this:
<?php
switch ($_GET['release']) {
case 'lts':
$release = 'lts';
break;
case 'latest':
default:
$release = 'latest';
}
?>
This way I can <?php echo $release; ?> without concern.
That doesn't work for when you actually want to display user generated
content of course. :-)
On Wed, Nov 7, 2012 at 6:35 AM, Dave Hala Jr <dave at 58ghz.net> wrote:
> Anyone had any success using the php strip_tags function for input
> filtering? It looks like a simple solution for filtering input and
> output and avoiding XSS issues.
>
>
> :) Dave
>
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>
--
Matthew Nuzum
newz2000 on freenode, skype, linkedin and twitter
♫ You're never fully dressed without a smile! ♫
More information about the Cialug
mailing list