Actually that's the one anwser I was hoping not to get ;-))) Well the problem is that HtmlPurifier comes also with security vulnerabilities, like any other piece of code. So the less code I include the better I am,that was the main idea. Z.-- My dojo & zend framework experience, the good, the bad with code samples ;-)
http://practicalphpajax.wordpress.com/ > Date: Tue, 1 Mar 2011 10:29:22 -0600 > From: [email protected] > To: [email protected] > Subject: Re: [fw-general] Zend guru advise on how to build a secure function > > -- Zladivliba Voskuy <[email protected]> wrote > (on Tuesday, 01 March 2011, 04:36 PM +0100): > > I've been trying to find a solution for this for a while ; I'd like to > > use a SecureText function that filters any "potential risky" text > > input from my website. > > > > So what's "potential risky text" for me : everything that's not : > > a-zA-Z0-9 ;.,?+-_![]/()This clears any hack potential from XSS or SQL > > injection. This limits the usability of my website, but I don't care, > > as long as xss are not possible any more, and sql injections are out > > of the way it's perfectly viable for what I want to do and the needs > > of my users. > > > > Now the question is how to build such a function. It seems that I > > can't use preg_replace because of unicode characters.I've tried to use > > filter_var but I'm not sure it filters also unicode characters. And I > > really want to strip everything that's risky it's my main priority. > > > > Cool guys on #Zftalk have advised to use pregReplace filter build in > > ZF since I have a regexp, but I'm not sure regexp is secure so... > > > > Any help appreciated ! I'm a little lost with this.Thanks ! > > I'd build a filter that wraps HtmlPurifier, to be honest... > > -- > Matthew Weier O'Phinney > Project Lead | [email protected] > Zend Framework | http://framework.zend.com/ > PGP key: http://framework.zend.com/zf-matthew-pgp-key.asc
