The current version for HtmlPurifier is 4.2.0. Is there still a vulnerability with it? The site says it's fixed.
Jamie On Tue, Mar 1, 2011 at 8:56 AM, Zladivliba Voskuy <[email protected]> wrote: > > Actually that's the one anwser I was hoping not to get ;-))) > > Well the problem is that HtmlPurifier comes also with security > vulnerabilities, like any other piece of code. So the less code I include the > better I am,that was the main idea. Z.-- > My dojo & zend framework experience, the good, the bad with code samples ;-) > > http://practicalphpajax.wordpress.com/ > > > > >> Date: Tue, 1 Mar 2011 10:29:22 -0600 >> From: [email protected] >> To: [email protected] >> Subject: Re: [fw-general] Zend guru advise on how to build a secure function >> >> -- Zladivliba Voskuy <[email protected]> wrote >> (on Tuesday, 01 March 2011, 04:36 PM +0100): >> > I've been trying to find a solution for this for a while ; I'd like to >> > use a SecureText function that filters any "potential risky" text >> > input from my website. >> > >> > So what's "potential risky text" for me : everything that's not : >> > a-zA-Z0-9 ;.,?+-_![]/()This clears any hack potential from XSS or SQL >> > injection. This limits the usability of my website, but I don't care, >> > as long as xss are not possible any more, and sql injections are out >> > of the way it's perfectly viable for what I want to do and the needs >> > of my users. >> > >> > Now the question is how to build such a function. It seems that I >> > can't use preg_replace because of unicode characters.I've tried to use >> > filter_var but I'm not sure it filters also unicode characters. And I >> > really want to strip everything that's risky it's my main priority. >> > >> > Cool guys on #Zftalk have advised to use pregReplace filter build in >> > ZF since I have a regexp, but I'm not sure regexp is secure so... >> > >> > Any help appreciated ! I'm a little lost with this.Thanks ! >> >> I'd build a filter that wraps HtmlPurifier, to be honest... >> >> -- >> Matthew Weier O'Phinney >> Project Lead | [email protected] >> Zend Framework | http://framework.zend.com/ >> PGP key: http://framework.zend.com/zf-matthew-pgp-key.asc >
