HTML Trigger
April 16, 2010 11:49AM

I have been working on optimizing phpinputvalidator. One of the speed issues I have found is HTML Purifier. Obviously with the large over head it is no ideal to use it when it's not needed. You can configure it so it is only used when you tell to use it. But I would like to refine it even more.

Would it be good from a security and a purification standpoint to only trigger HTML purifier if say a < is found? The thought being that if there is not a < then the string shouldn't have any html thus shouldnt need to be run through purifier.

Re: HTML Trigger
April 16, 2010 12:44PM

HTML Purifier still performs corrective measures even when there is no &amp;lt; present. One great example is multibyte encodings; there are some well known attacks that require &lt;em&gt;nothing&lt;/em&gt; that looks like HTML, just some malformed UTF-8 bytes.

Re: HTML Trigger
April 16, 2010 12:51PM

Ok that's what I sort of figured. I wanted to be sure.

Re: HTML Trigger
April 16, 2010 12:53PM

That's not to say that it's not possible to short circuit HTML Purifier in some cases, but you have to be &lt;em&gt;very very&lt;/em&gt; careful.

Sorry, you do not have permission to post/reply in this forum.