Welcome! » Log In » Create A New Profile

[Misc] PHP's filter extension and HTML Purifier

Posted by inazo 
Forum List Message List New Topic
inazo
[Misc] PHP's filter extension and HTML Purifier
February 21, 2007 09:26AM

Hello,

I have an other question. Can we used filter functions like filter_input, to prevenr a XSS attack ?

Or it's useless, to use filter_input for check and validate input date form external source?

Thanks for your answer.

Alexandre Joly.

Edited 1 time(s). Last edit at 04/02/2007 06:31AM by Ambush Commander.

Reply Quote
Ambush Commander
Re: Use filter function ?
February 21, 2007 04:21PM

It depends on what you want to do. PHP's filter extension does not have HTML filtering built-in, so you'll have to use HTML Purifier for that job. For simpler datatypes, though, like integers, floating point numbers, email addresses, etc, filter's validation functions should be good enough for guarding against XSS.

Some people who believe in defense-in-depth would say that you should still htmlspecialchars() anything on the way out. Might not be a bad idea.

HTML Purifier, Standards Compliant HTML Filtering

Reply Quote
inazo
Re: Use filter function ?
February 21, 2007 05:25PM

Ok good, i think i continue to use HTML Purifier but i think i'll used filter for email adresses, i think it's better than REGEX.

Thanks for your answers.

Alexandre Joly.

Reply Quote
Ambush Commander
Re: Use filter function ?
February 25, 2007 03:57PM

filter actually implements its email checking functionality with regexps. The trick is finding the right one! :-) Good call though: HTML Purifier can only validate HTML.

HTML Purifier, Standards Compliant HTML Filtering

Reply Quote
Newer Topic Older Topic
Author:
Your Email:

Subject:

HTML input is enabled. Make sure you escape all HTML and angled brackets with < and >.

Auto-paragraphing is enabled. Double newlines will be converted to paragraphs; for single newlines, use the pre tag.

Allowed tags: a, abbr, acronym, b, blockquote, caption, cite, code, dd, del, dfn, div, dl, dt, em, i, ins, kbd, li, ol, p, pre, s, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, var.

For inputting literal code such as HTML and PHP for display, use CDATA tags to auto-escape your angled brackets, and pre to preserve newlines: 

<pre><![CDATA[
Place code here
]]></pre>

Power users, you can hide this notice with: 

.htmlpurifier-help {display:none;}

Message: