[nycphp-talk] User Input Data scrubbing

Michele Waldman mmwaldman at
Fri Nov 28 16:44:59 EST 2008

Well, if they add a bell, form feed, cancel, end of transmitting, I'm
removing it.  That's not a legitimate part of a comment.

I don't want to remove any legitimate part of my user's comment either.

If they have code samples or anything else for that matter, I want it to
display.  I'm not, however, linking in pictures or linking urls.  People can
cut and paste that into the browser if they want to follow up on the
person's comments.

But, I don't want to crash my website, either.

XSS - cross server scripting?  Embedding your php in the code?


-----Original Message-----
From: talk-bounces at [mailto:talk-bounces at] On
Behalf Of Chris Shiflett
Sent: Friday, November 28, 2008 3:50 PM
To: NYPHP Talk
Subject: Re: [nycphp-talk] User Input Data scrubbing

On Nov 28, 2008, at 15:40, Michele Waldman wrote:

> I'm looking at two separate issues right now: SQL injection and Html  
> injection.
> But, I think you can kill two birds with one stone.

Not if you want to adhere to best practices. XSS is not something you  
can remove. It's the result of sloppy programming.

On my blog, XSS is talked about a lot, so many of the comments might  
appear to be XSS attacks. I haven't (yet) had a vulnerability in my  
comment code, despite being a constant target for attack, and despite  
the fact that I don't remove any part of anyone's comment.

There's a lot of misinformation out there, so tread carefully.


Chris Shiflett

New York PHP User Group Community Talk Mailing List

More information about the talk mailing list