[Cialug] XSS input filtering
Eric Junker
eric at eric.nu
Wed Nov 7 18:57:50 CST 2012
The advice that I've always followed is: Filter Input, Escape Output.
For filtering XSS attacks use strip_tags() but for general purpose input
filtering see PHP's built-in input filtering:
http://us3.php.net/manual/en/book.filter.php
If you need to allow certain HTML tags but strip others, you really
should use something like HTMLPurifier http://htmlpurifier.org/ which
will not only let you white list HTML tags but also HTML attributes.
To escape XSS attacks, you use htmlentities(). Keep in mind that when
using htmlentities() you really need to call it like this:
htmlentities($data, ENT_QUOTES, 'UTF-8'); so that it will escape quotes
and know which character encoding to use. If you don't specify a
character encoding, XSS attacks that use UTF-7 are possible.
Chris Shiflett is "the man" when it comes to PHP security. Here are a
few of his articles:
http://shiflett.org/articles/cross-site-scripting
http://shiflett.org/blog/2007/may/character-encoding-and-xss
Eric
On 11/7/2012 6:35 AM, Dave Hala Jr wrote:
> Anyone had any success using the php strip_tags function for input
> filtering? It looks like a simple solution for filtering input and
> output and avoiding XSS issues.
>
>
> :) Dave
>
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>
More information about the Cialug
mailing list