Hi Hector, In my case I'd like to have control over this. In most cases (like regular form variables/GET/hidden) I'd like to remove ALL html. Some fields (a few where I allow - via tinyMCE) should allow some tags to be used - like the strong.
In a more recent blog ( http://blog.astrumfutura.com/2010/08/html-sanitisation-the-devils-in-the-details-and-the-vulnerabilities/) I was inclined to use HTMLPurifier despite it's performance "problem". But it does not address my general filtering problem. Can Zend_Filter_Tags help with that? On Mon, Oct 25, 2010 at 2:12 PM, Hector Virgen <[email protected]> wrote: > Then I guess it depends -- do you want to filter out all html, or allow > html-like content to be displayed back to your users (escaped, of course)? > > Personally I prefer the latter because it allows users to write something > like "Strong tags look like this: <strong>content</strong>" > > The users will see the actual HTML instead of it being stripped or > rendered. > > If you're only concerned about XSS then escaping should be fine -- as long > as you remember to escape it whenever it can be evaluated by a parser. > > > -- > *Hector Virgen* > Sr. Web Developer > Walt Disney Parks and Resorts Online > http://www.virgentech.com > > > > On Mon, Oct 25, 2010 at 11:04 AM, robert mena <[email protected]>wrote: > >> Hi Hector, >> >> Thanks for your reply. >> >> If I recall the 'general' advice should be filter input and escape output. >> I am looking for the filter part right now. >> >> >> On Mon, Oct 25, 2010 at 12:39 PM, Hector Virgen <[email protected]>wrote: >> >>> If HTML is not allowed, it's better to escape the value instead of strip >>> out content that resembles HTML. >>> >>> -- >>> *Hector Virgen* >>> Sr. Web Developer >>> Walt Disney Parks and Resorts Online >>> http://www.virgentech.com >>> >>> >>> >>> On Mon, Oct 25, 2010 at 9:29 AM, robert mena <[email protected]>wrote: >>> >>>> Hi, >>>> >>>> I'd like to know if is it safe to filter XSS use Zend_Filter_Tags if >>>> none of >>>> my fields is supposed to receive any HTML. >>>> >>>> I read somewhere (at padraic's blog?) that for more sophisticated >>>> filtering >>>> (like allowing certain tags/attributes) Zend_Filter_Tags is not the >>>> option. >>>> >>>> Regards. >>>> >>> >>> >> >
