On Nov 17, 2007, at 12:42 AM, Daniel Convissor wrote:
On Mon, Nov 12, 2007 at 04:26:54PM -0500, Rob Marscher wrote:
But it's expensive to escape it every time someone views the page.
Therefore, it's recommended to filter it on input but store the
filtered version
This approach is flawed because disgruntled people who have server
side
access to the database can insert HTML. Escaping HTML upon page
generation is the safest way to go.
Hmm... that's a good point. I guess my suggestion is more just on
caching the filtering if it's an expensive operation. And as you
point out, that needs to be done in a trusted way. Here's the
specific HTMLPurifier documentation that discusses it: http://htmlpurifier.org/docs/enduser-slow.html
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
