Welcome! » Log In » Create A New Profile

HTML purifier in a security implementation

Posted by nuttzy 
HTML purifier in a security implementation
January 17, 2008 10:15AM

I'm in the process of securing a bunch of wide open code. It's not just vulnerable to XSS, it's wide open period. My general plan for a security framework is to filter input and escape output (obviously things like CSRF is addressed on its own). I have the need to store many items in a database as well.

Where does HTML Purifier fit into the solution? I like the idea of running it as part of the filter so that your more obvious exploits never reach the DB. However, HTML Purifier will turn something like "Bill & Bob" to "Bill & Bob" which is not how we want to be storing stuff in the DB (like if we export something from the DB for use in Excel for example).

I could use HTML Purifier on the escaping portion, but then some nasty stuff will be left lingering in the DB, waiting for me to let my guard down.

So, before I start designing my security implementation, I thought it would be nice to get some feedback on how best to build HTML Purifier into it. I'd also depart from the filter/escape strategy if there is some better idea.

Thanks! -Craig

Re: HTML purifier in a security implementation
January 17, 2008 05:00PM

You've hit the classic problem of in-bound versus out-bound filtering. What you want to do is cache all user-inputted data: one column for the un-filtered data, and one for the filtered data ready to be served. For more details see: http://htmlpurifier.org/docs/enduser-slow.html

Sorry, you do not have permission to post/reply in this forum.