[Cialug] XSS input filtering
Pixie
pix at kepibu.org
Wed Nov 7 20:10:08 CST 2012
On 2012.11.07 08:58, Matthew Nuzum wrote:
> Strip tags is a pretty solid way as long as you don't provide a second
> param (the allowed_tags param). It's hard to do xss when HTML is not
> allowed. ...
Having recently spent a week partially fixing a codebase that took that
last sentence to heart, I'm going to disagree:
$user-supplied-value = {" onmouseover="alert('XSS!');"};
<tag attr="$user-supplied-value">Content</tag>
||
\/
<tag attr="" onmouseover="alert('XSS!');">Content</tag>
That wasn't very hard at all! :P
Eric's advice to escape output is good. Do that. Everywhere. Or
generate a DOM tree and write that out, which would handle all the
appropriate escaping for you, at the expense of being super-ugly.
Of course, once you're properly escaping your output, strip_tags()
becomes superfluous. I prefer not to do things which alter user input,
if such things can be avoided.
--
More information about the Cialug
mailing list