[nycphp-talk] User Input Data scrubbing
Michele Waldman
mmwaldman at nyc.rr.com
Fri Nov 28 16:44:59 EST 2008
Well, if they add a bell, form feed, cancel, end of transmitting, I'm
removing it. That's not a legitimate part of a comment.
I don't want to remove any legitimate part of my user's comment either.
If they have code samples or anything else for that matter, I want it to
display. I'm not, however, linking in pictures or linking urls. People can
cut and paste that into the browser if they want to follow up on the
person's comments.
But, I don't want to crash my website, either.
XSS - cross server scripting? Embedding your php in the code?
Michele
-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of Chris Shiflett
Sent: Friday, November 28, 2008 3:50 PM
To: NYPHP Talk
Subject: Re: [nycphp-talk] User Input Data scrubbing
On Nov 28, 2008, at 15:40, Michele Waldman wrote:
> I'm looking at two separate issues right now: SQL injection and Html
> injection.
>
> But, I think you can kill two birds with one stone.
Not if you want to adhere to best practices. XSS is not something you
can remove. It's the result of sloppy programming.
On my blog, XSS is talked about a lot, so many of the comments might
appear to be XSS attacks. I haven't (yet) had a vulnerability in my
comment code, despite being a constant target for attack, and despite
the fact that I don't remove any part of anyone's comment.
There's a lot of misinformation out there, so tread carefully.
Chris
--
Chris Shiflett
http://shiflett.org/
_______________________________________________
New York PHP User Group Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org/show_participation.php
More information about the talk
mailing list