Re: [fw-general] Preventing XSS : Zend_Filter_Tags is enough?

2010-10-25 Thread Matthew Weier O'Phinney
-- robert mena wrote (on Monday, 25 October 2010, 03:39 PM -0400): > In my case I'd like to have control over this. In most cases (like regular > form variables/GET/hidden) I'd like to remove ALL html. Some fields (a few > where I allow - via tinyMCE) should allow some tags to be used - like th

Re: [fw-general] Preventing XSS : Zend_Filter_Tags is enough?

2010-10-25 Thread Hector Virgen
I was just looking over the documentation of Zend_Filter_StripTags and it's not recommended for preventing XSS attacks: http://framework.zend.com/manual/en/zend.filter.set.html#zend.filter.set.striptags I'm guessing that Tidy might be faster than HTMLPurifier if you're concerned about performance

Re: [fw-general] Preventing XSS : Zend_Filter_Tags is enough?

2010-10-25 Thread robert mena
Hi Hector, In my case I'd like to have control over this. In most cases (like regular form variables/GET/hidden) I'd like to remove ALL html. Some fields (a few where I allow - via tinyMCE) should allow some tags to be used - like the strong. In a more recent blog ( http://blog.astrumfutura.co

Re: [fw-general] Preventing XSS : Zend_Filter_Tags is enough?

2010-10-25 Thread Hector Virgen
Then I guess it depends -- do you want to filter out all html, or allow html-like content to be displayed back to your users (escaped, of course)? Personally I prefer the latter because it allows users to write something like "Strong tags look like this: content" The users will see the actual HTM

Re: [fw-general] Preventing XSS : Zend_Filter_Tags is enough?

2010-10-25 Thread robert mena
Hi Hector, Thanks for your reply. If I recall the 'general' advice should be filter input and escape output. I am looking for the filter part right now. On Mon, Oct 25, 2010 at 12:39 PM, Hector Virgen wrote: > If HTML is not allowed, it's better to escape the value instead of strip > out cont

Re: [fw-general] Preventing XSS : Zend_Filter_Tags is enough?

2010-10-25 Thread Hector Virgen
If HTML is not allowed, it's better to escape the value instead of strip out content that resembles HTML. -- *Hector Virgen* Sr. Web Developer Walt Disney Parks and Resorts Online http://www.virgentech.com On Mon, Oct 25, 2010 at 9:29 AM, robert mena wrote: > Hi, > > I'd like to know if is it

[fw-general] Preventing XSS : Zend_Filter_Tags is enough?

2010-10-25 Thread robert mena
Hi, I'd like to know if is it safe to filter XSS use Zend_Filter_Tags if none of my fields is supposed to receive any HTML. I read somewhere (at padraic's blog?) that for more sophisticated filtering (like allowing certain tags/attributes) Zend_Filter_Tags is not the option. Regards.