I was just looking over the documentation of Zend_Filter_StripTags and it's not recommended for preventing XSS attacks:
http://framework.zend.com/manual/en/zend.filter.set.html#zend.filter.set.striptags I'm guessing that Tidy might be faster than HTMLPurifier if you're concerned about performance. Might want to benchmark it though. -- *Hector Virgen* Sr. Web Developer Walt Disney Parks and Resorts Online http://www.virgentech.com On Mon, Oct 25, 2010 at 12:39 PM, robert mena <[email protected]> wrote: > Hi Hector, > > In my case I'd like to have control over this. In most cases (like > regular form variables/GET/hidden) I'd like to remove ALL html. Some fields > (a few where I allow - via tinyMCE) should allow some tags to be used - like > the strong. > > In a more recent blog ( > http://blog.astrumfutura.com/2010/08/html-sanitisation-the-devils-in-the-details-and-the-vulnerabilities/) > I was inclined to use HTMLPurifier despite it's performance "problem". > But it does not address my general filtering problem. > > Can Zend_Filter_Tags help with that? > > On Mon, Oct 25, 2010 at 2:12 PM, Hector Virgen <[email protected]> wrote: > >> Then I guess it depends -- do you want to filter out all html, or allow >> html-like content to be displayed back to your users (escaped, of course)? >> >> Personally I prefer the latter because it allows users to write something >> like "Strong tags look like this: <strong>content</strong>" >> >> The users will see the actual HTML instead of it being stripped or >> rendered. >> >> If you're only concerned about XSS then escaping should be fine -- as long >> as you remember to escape it whenever it can be evaluated by a parser. >> >> >> -- >> *Hector Virgen* >> Sr. Web Developer >> Walt Disney Parks and Resorts Online >> http://www.virgentech.com >> >> >> >> On Mon, Oct 25, 2010 at 11:04 AM, robert mena <[email protected]>wrote: >> >>> Hi Hector, >>> >>> Thanks for your reply. >>> >>> If I recall the 'general' advice should be filter input and escape >>> output. I am looking for the filter part right now. >>> >>> >>> On Mon, Oct 25, 2010 at 12:39 PM, Hector Virgen <[email protected]>wrote: >>> >>>> If HTML is not allowed, it's better to escape the value instead of strip >>>> out content that resembles HTML. >>>> >>>> -- >>>> *Hector Virgen* >>>> Sr. Web Developer >>>> Walt Disney Parks and Resorts Online >>>> http://www.virgentech.com >>>> >>>> >>>> >>>> On Mon, Oct 25, 2010 at 9:29 AM, robert mena <[email protected]>wrote: >>>> >>>>> Hi, >>>>> >>>>> I'd like to know if is it safe to filter XSS use Zend_Filter_Tags if >>>>> none of >>>>> my fields is supposed to receive any HTML. >>>>> >>>>> I read somewhere (at padraic's blog?) that for more sophisticated >>>>> filtering >>>>> (like allowing certain tags/attributes) Zend_Filter_Tags is not the >>>>> option. >>>>> >>>>> Regards. >>>>> >>>> >>>> >>> >> >
