I don't know of any vulns in htmlPurifier although I can tell you for sure there are undiscovered vulnerabilities, this is just a matter of statistics. The more code you have the more vulns you have too. The more complex the machine, the more vulns you have. Even if the guys who wrote it are probably high end security professionals. Z.
> The current version for HtmlPurifier is 4.2.0. Is there still a > vulnerability with it? The site says it's fixed. > > Jamie > > On Tue, Mar 1, 2011 at 8:56 AM, Zladivliba Voskuy <[email protected]> > wrote: > > > > Actually that's the one anwser I was hoping not to get ;-))) > > > > Well the problem is that HtmlPurifier comes also with security > > vulnerabilities, like any other piece of code. So the less code I include > > the better I am,that was the main idea. Z.-- > > My dojo & zend framework experience, the good, the bad with code samples ;-) > > > > http://practicalphpajax.wordpress.com/ > > > > > > > > > >> Date: Tue, 1 Mar 2011 10:29:22 -0600 > >> From: [email protected] > >> To: [email protected] > >> Subject: Re: [fw-general] Zend guru advise on how to build a secure > >> function > >> > >> -- Zladivliba Voskuy <[email protected]> wrote > >> (on Tuesday, 01 March 2011, 04:36 PM +0100): > >> > I've been trying to find a solution for this for a while ; I'd like to > >> > use a SecureText function that filters any "potential risky" text > >> > input from my website. > >> > > >> > So what's "potential risky text" for me : everything that's not : > >> > a-zA-Z0-9 ;.,?+-_![]/()This clears any hack potential from XSS or SQL > >> > injection. This limits the usability of my website, but I don't care, > >> > as long as xss are not possible any more, and sql injections are out > >> > of the way it's perfectly viable for what I want to do and the needs > >> > of my users. > >> > > >> > Now the question is how to build such a function. It seems that I > >> > can't use preg_replace because of unicode characters.I've tried to use > >> > filter_var but I'm not sure it filters also unicode characters. And I > >> > really want to strip everything that's risky it's my main priority. > >> > > >> > Cool guys on #Zftalk have advised to use pregReplace filter build in > >> > ZF since I have a regexp, but I'm not sure regexp is secure so... > >> > > >> > Any help appreciated ! I'm a little lost with this.Thanks ! > >> > >> I'd build a filter that wraps HtmlPurifier, to be honest... > >> > >> -- > >> Matthew Weier O'Phinney > >> Project Lead | [email protected] > >> Zend Framework | http://framework.zend.com/ > >> PGP key: http://framework.zend.com/zf-matthew-pgp-key.asc > >
