Well, if they add a bell, form feed, cancel, end of transmitting, I'm removing it. That's not a legitimate part of a comment.
I don't want to remove any legitimate part of my user's comment either. If they have code samples or anything else for that matter, I want it to display. I'm not, however, linking in pictures or linking urls. People can cut and paste that into the browser if they want to follow up on the person's comments. But, I don't want to crash my website, either. XSS - cross server scripting? Embedding your php in the code? Michele -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Shiflett Sent: Friday, November 28, 2008 3:50 PM To: NYPHP Talk Subject: Re: [nyphp-talk] User Input Data scrubbing On Nov 28, 2008, at 15:40, Michele Waldman wrote: > I'm looking at two separate issues right now: SQL injection and Html > injection. > > But, I think you can kill two birds with one stone. Not if you want to adhere to best practices. XSS is not something you can remove. It's the result of sloppy programming. On my blog, XSS is talked about a lot, so many of the comments might appear to be XSS attacks. I haven't (yet) had a vulnerability in my comment code, despite being a constant target for attack, and despite the fact that I don't remove any part of anyone's comment. There's a lot of misinformation out there, so tread carefully. Chris -- Chris Shiflett http://shiflett.org/ _______________________________________________ New York PHP User Group Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org/show_participation.php _______________________________________________ New York PHP User Group Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org/show_participation.php
