[Cialug] XSS input filtering

Matthew Nuzum newz at bearfruit.org
Wed Nov 7 10:02:24 CST 2012


Good point. I of course was making the assumption that register_globals is
off, but as we've seen in many cases, assuming people are sane is not
always valid. :-)

On Wed, Nov 7, 2012 at 9:49 AM, Barry Von Ahsen <barry at vonahsen.com> wrote:

> well, you can safely echo $release if register_globals is off, and your
> variables_order is sane, and, and, and :)
>
> I program my php like it's a real language - initialize variables to
> impossible defaults (NULL, -1, etc), inspect the crap out of user-supplied
> inputs and enforce strict type checking, and fail if anything is amiss.
>  unfortunately, most of that goes out when users can generate html, so YMMV
>
> (even names are hard: spaces, periods, apostrophes, hyphens.  I love this
> article:
> http://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/)
>
> like I said, it's hard, and it's why I get annoyed when people claim web
> programming isn't "real" programming (even before you get into the breadth
> of technologies required (which may be part of the problem (moar parens)))
>
>
> -barry
>
>
> On Nov 7, 2012, at 8:58 AM, Matthew Nuzum wrote:
>
> > Strip tags is a pretty solid way as long as you don't provide a second
> > param (the allowed_tags param). It's hard to do xss when HTML is not
> > allowed. However it is a very heavy-handed technique. If that works for
> you
> > then do it.
> >
> > I think you'll find that the biggest problem you have other than stuff
> > being stripped out is that sometimes you'll forget to strip fields or one
> > field that needs tags in it will miss a corner case. :-(
> >
> > A technique I use for the most important tasks is to mitigate the impact
> of
> > an XSS. For example, use a different domain for all management tasks than
> > you do for viewing the site.
> >
> > Another technique is to never display user provided content. For
> example, I
> > do something like this:
> >
> > <?php
> > switch ($_GET['release']) {
> >  case 'lts':
> >    $release = 'lts';
> >    break;
> >  case 'latest':
> >  default:
> >    $release = 'latest';
> > }
> > ?>
> >
> > This way I can <?php echo $release; ?> without concern.
> >
> > That doesn't work for when you actually want to display user generated
> > content of course. :-)
> >
> > On Wed, Nov 7, 2012 at 6:35 AM, Dave Hala Jr <dave at 58ghz.net> wrote:
> >
> >> Anyone had any success using the php strip_tags function for input
> >> filtering?  It looks like a simple solution for filtering input and
> >> output and avoiding XSS issues.
> >>
> >>
> >> :) Dave
> >>
> >> _______________________________________________
> >> Cialug mailing list
> >> Cialug at cialug.org
> >> http://cialug.org/mailman/listinfo/cialug
> >>
> >
> >
> >
> > --
> > Matthew Nuzum
> > newz2000 on freenode, skype, linkedin and twitter
> >
> > ♫ You're never fully dressed without a smile! ♫
> > _______________________________________________
> > Cialug mailing list
> > Cialug at cialug.org
> > http://cialug.org/mailman/listinfo/cialug
>
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>



-- 
Matthew Nuzum
newz2000 on freenode, skype, linkedin and twitter

♫ You're never fully dressed without a smile! ♫


More information about the Cialug mailing list