Re: [fw-general] Zend guru advise on how to build a secure function

Tue, 01 Mar 2011 09:17:23 -0800 

-- Zladivliba Voskuy <[email protected]> wrote
(on Tuesday, 01 March 2011, 05:56 PM +0100):
> Actually that's the one anwser I was hoping not to get ;-)))
> 
> Well the problem is that HtmlPurifier comes also with security 
> vulnerabilities,
> like any other piece of code. So the less code I include the better I am,that
> was the main idea. 

The difference, however, it that HTMLPurifier has taken a
security-in-depth approach and benefits from many developers
scrutinizing it. While it may have some security vulnerabilities, you'll
at least get reports of those so you can patch and fix -- instead of
targetted attacks on just your site.

If you don't like HTMLPurifier, you may also want to look at Padraic
Brady's "Wibble" project (Paddy is a contributor to ZF, and knows
security in and out):

    http://blog.astrumfutura.com/tag/wibble/

> > Date: Tue, 1 Mar 2011 10:29:22 -0600
> > From: [email protected]
> > To: [email protected]
> > Subject: Re: [fw-general] Zend guru advise on how to build a secure function
> >
> > -- Zladivliba Voskuy <[email protected]> wrote
> > (on Tuesday, 01 March 2011, 04:36 PM +0100):
> > > I've been trying to find a solution for this for a while ; I'd like to
> > > use a SecureText function that filters any "potential risky" text
> > > input from my website.
> > >
> > > So what's "potential risky text" for me : everything that's not :
> > > a-zA-Z0-9 ;.,?+-_![]/()This clears any hack potential from XSS or SQL
> > > injection. This limits the usability of my website, but I don't care,
> > > as long as xss are not possible any more, and sql injections are out
> > > of the way it's perfectly viable for what I want to do and the needs
> > > of my users.
> > >
> > > Now the question is how to build such a function. It seems that I
> > > can't use preg_replace because of unicode characters.I've tried to use
> > > filter_var but I'm not sure it filters also unicode characters. And I
> > > really want to strip everything that's risky it's my main priority.
> > >
> > > Cool guys on #Zftalk have advised to use pregReplace filter build in
> > > ZF since I have a regexp, but I'm not sure regexp is secure so...
> > >
> > > Any help appreciated ! I'm a little lost with this.Thanks !
> >
> > I'd build a filter that wraps HtmlPurifier, to be honest...
> >
> > --
> > Matthew Weier O'Phinney
> > Project Lead | [email protected]
> > Zend Framework | http://framework.zend.com/
> > PGP key: http://framework.zend.com/zf-matthew-pgp-key.asc

-- 
Matthew Weier O'Phinney
Project Lead            | [email protected]
Zend Framework          | http://framework.zend.com/
PGP key: http://framework.zend.com/zf-matthew-pgp-key.asc

Reply via email to