-- robert mena wrote
(on Monday, 25 October 2010, 03:39 PM -0400):
> In my case I'd like to have control over this. In most cases (like regular
> form variables/GET/hidden) I'd like to remove ALL html. Some fields (a few
> where I allow - via tinyMCE) should allow some tags to be used - like th
I was just looking over the documentation of Zend_Filter_StripTags and it's
not recommended for preventing XSS attacks:
http://framework.zend.com/manual/en/zend.filter.set.html#zend.filter.set.striptags
I'm guessing that Tidy might be faster than HTMLPurifier if you're concerned
about performance
Hi Hector,
In my case I'd like to have control over this. In most cases (like regular
form variables/GET/hidden) I'd like to remove ALL html. Some fields (a few
where I allow - via tinyMCE) should allow some tags to be used - like the
strong.
In a more recent blog (
http://blog.astrumfutura.co
Then I guess it depends -- do you want to filter out all html, or allow
html-like content to be displayed back to your users (escaped, of course)?
Personally I prefer the latter because it allows users to write something
like "Strong tags look like this: content"
The users will see the actual HTM
Hi Hector,
Thanks for your reply.
If I recall the 'general' advice should be filter input and escape output.
I am looking for the filter part right now.
On Mon, Oct 25, 2010 at 12:39 PM, Hector Virgen wrote:
> If HTML is not allowed, it's better to escape the value instead of strip
> out cont
If HTML is not allowed, it's better to escape the value instead of strip out
content that resembles HTML.
--
*Hector Virgen*
Sr. Web Developer
Walt Disney Parks and Resorts Online
http://www.virgentech.com
On Mon, Oct 25, 2010 at 9:29 AM, robert mena wrote:
> Hi,
>
> I'd like to know if is it
Hi,
I'd like to know if is it safe to filter XSS use Zend_Filter_Tags if none of
my fields is supposed to receive any HTML.
I read somewhere (at padraic's blog?) that for more sophisticated filtering
(like allowing certain tags/attributes) Zend_Filter_Tags is not the option.
Regards.