----- Original Message -----
From: "Rob Marscher" <[EMAIL PROTECTED]>
To: "NYPHP Talk" <talk@lists.nyphp.org>
Sent: Monday, November 12, 2007 4:26 PM
Subject: Re: [nyphp-talk] Injection Attack, any ideas?
On Nov 12, 2007, at 1:25 PM, Dan Cech wrote:
The fact that your example demonstrates the proper approach (using
html
escaping to display the user data) rather than 'scrubbing and
cleaning'
the input makes this advice even more confusing.
If you need to allow user input of html, HTMLPurifier is pretty nice
to get rid of the possible XSS attack - http://htmlpurifier.org/
But it's expensive to escape it every time someone views the page.
Therefore, it's recommended to filter it on input but store the
filtered version in a separate column in the database from the input
directly from the user (in case the filter causes unexpected data loss
from malformed html).
I do this before I store user form data in the database.
I 1st htmlPurifier, then validate against a type and size,
then store in the db. works great, not too much time wasted
developing yet another class.
- Ben
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
