[nycphp-talk] Injection Attack, any ideas?
Rob Marscher
rmarscher at beaffinitive.com
Sun Nov 18 22:02:06 EST 2007
On Nov 17, 2007, at 12:42 AM, Daniel Convissor wrote:
> On Mon, Nov 12, 2007 at 04:26:54PM -0500, Rob Marscher wrote:
>>
>> But it's expensive to escape it every time someone views the page.
>> Therefore, it's recommended to filter it on input but store the
>> filtered version
> This approach is flawed because disgruntled people who have server
> side
> access to the database can insert HTML. Escaping HTML upon page
> generation is the safest way to go.
Hmm... that's a good point. I guess my suggestion is more just on
caching the filtering if it's an expensive operation. And as you
point out, that needs to be done in a trusted way. Here's the
specific HTMLPurifier documentation that discusses it: http://htmlpurifier.org/docs/enduser-slow.html
More information about the talk
mailing list