Dotan Cohen wrote:
On 25/04/07, Justin Frim <[EMAIL PROTECTED]> wrote:
I'm assuming then you want the data to be able to contain _some_ mark-up
considered to be safe?
Not at this stage, no. Maybe if the users ask for it, but not now in
the beginning. The universe's best engineer, Scotty, once advised us
tell them that it's impossible, and only then to implement what they
want.
You should decide now before going any further, do you want the future
capability to add mark-up codes? And if so, are they going to be
similar to HTML using the < and > characters, or are they going to be
like BBcode using the [ and ] characters?
This decision will determine if filters to gaurd against XSS attacks
really are the best solution or not.
See, you should only use filters to prevent XSS attacks if you plan on
using the < and > characters for mark-up codes (now or in the future).
Otherwise, use htmlspecialchars() or htmlentities(). If you use a
filter that strips < and > characters, you'll have a lot of angry /
frustrated / confused users when they find they can't type < and > as
literals if they're not aware that < and > are reserved for special
mark-up codes.
Consider:
Suppose a bunch of mathematicians are having a discussion on the message
board, and one of them decides to state that "variable x is greater than
3". They might type "x > 3", but your filter will end up garbling it
up. Not good! If you use htmlspecialchars(), then anything they type
will appear as typed.
If you want future capability for mark-up, you should inform the users
which characters are reserved, and how they can represent them as
literals. Basically, you're informing the users if they should "speak
HTML", "speak BBcode", or "speak the natural language" when they post on
the site.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
