Hi Hector, Thanks for your reply.
If I recall the 'general' advice should be filter input and escape output. I am looking for the filter part right now. On Mon, Oct 25, 2010 at 12:39 PM, Hector Virgen <[email protected]> wrote: > If HTML is not allowed, it's better to escape the value instead of strip > out content that resembles HTML. > > -- > *Hector Virgen* > Sr. Web Developer > Walt Disney Parks and Resorts Online > http://www.virgentech.com > > > > On Mon, Oct 25, 2010 at 9:29 AM, robert mena <[email protected]>wrote: > >> Hi, >> >> I'd like to know if is it safe to filter XSS use Zend_Filter_Tags if none >> of >> my fields is supposed to receive any HTML. >> >> I read somewhere (at padraic's blog?) that for more sophisticated >> filtering >> (like allowing certain tags/attributes) Zend_Filter_Tags is not the >> option. >> >> Regards. >> > >
