[Cialug] XSS input filtering

Barry Von Ahsen barry at vonahsen.com
Wed Nov 7 09:49:35 CST 2012 

well, you can safely echo $release if register_globals is off, and your variables_order is sane, and, and, and :)

I program my php like it's a real language - initialize variables to impossible defaults (NULL, -1, etc), inspect the crap out of user-supplied inputs and enforce strict type checking, and fail if anything is amiss.  unfortunately, most of that goes out when users can generate html, so YMMV

(even names are hard: spaces, periods, apostrophes, hyphens.  I love this article: http://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/ )

like I said, it's hard, and it's why I get annoyed when people claim web programming isn't "real" programming (even before you get into the breadth of technologies required (which may be part of the problem (moar parens)))


-barry


On Nov 7, 2012, at 8:58 AM, Matthew Nuzum wrote:

> Strip tags is a pretty solid way as long as you don't provide a second
> param (the allowed_tags param). It's hard to do xss when HTML is not
> allowed. However it is a very heavy-handed technique. If that works for you
> then do it.
> 
> I think you'll find that the biggest problem you have other than stuff
> being stripped out is that sometimes you'll forget to strip fields or one
> field that needs tags in it will miss a corner case. :-(
> 
> A technique I use for the most important tasks is to mitigate the impact of
> an XSS. For example, use a different domain for all management tasks than
> you do for viewing the site.
> 
> Another technique is to never display user provided content. For example, I
> do something like this:
> 
> <?php
> switch ($_GET['release']) {
>  case 'lts':
>    $release = 'lts';
>    break;
>  case 'latest':
>  default:
>    $release = 'latest';
> }
> ?>
> 
> This way I can <?php echo $release; ?> without concern.
> 
> That doesn't work for when you actually want to display user generated
> content of course. :-)
> 
> On Wed, Nov 7, 2012 at 6:35 AM, Dave Hala Jr <dave at 58ghz.net> wrote:
> 
>> Anyone had any success using the php strip_tags function for input
>> filtering?  It looks like a simple solution for filtering input and
>> output and avoiding XSS issues.
>> 
>> 
>> :) Dave
>> 
>> _______________________________________________
>> Cialug mailing list
>> Cialug at cialug.org
>> http://cialug.org/mailman/listinfo/cialug
>> 
> 
> 
> 
> -- 
> Matthew Nuzum
> newz2000 on freenode, skype, linkedin and twitter
> 
> ♫ You're never fully dressed without a smile! ♫
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug

More information about the Cialug mailing list