[nycphp-talk] Injection Attack, any ideas?
Rob Marscher
rmarscher at beaffinitive.com
Mon Nov 12 16:26:54 EST 2007
On Nov 12, 2007, at 1:25 PM, Dan Cech wrote:
> The fact that your example demonstrates the proper approach (using
> html
> escaping to display the user data) rather than 'scrubbing and
> cleaning'
> the input makes this advice even more confusing.
If you need to allow user input of html, HTMLPurifier is pretty nice
to get rid of the possible XSS attack - http://htmlpurifier.org/
But it's expensive to escape it every time someone views the page.
Therefore, it's recommended to filter it on input but store the
filtered version in a separate column in the database from the input
directly from the user (in case the filter causes unexpected data loss
from malformed html).
More information about the talk
mailing list