[nycphp-talk] User Input Data scrubbing

Chris Shiflett shiflett at
Fri Nov 28 15:50:19 EST 2008

On Nov 28, 2008, at 15:40, Michele Waldman wrote:

> I’m looking at two separate issues right now: SQL injection and Html  
> injection.
> But, I think you can kill two birds with one stone.

Not if you want to adhere to best practices. XSS is not something you  
can remove. It's the result of sloppy programming.

On my blog, XSS is talked about a lot, so many of the comments might  
appear to be XSS attacks. I haven't (yet) had a vulnerability in my  
comment code, despite being a constant target for attack, and despite  
the fact that I don't remove any part of anyone's comment.

There's a lot of misinformation out there, so tread carefully.


Chris Shiflett

More information about the talk mailing list