[nycphp-talk] User Input Data scrubbing

Michele Waldman mmwaldman at
Fri Nov 28 16:51:04 EST 2008

I checked out

They stripped <script> alert('hi'); </script> out of the input.

I convert that to text and display it as text.  I don't like the removal of


-----Original Message-----
From: talk-bounces at [mailto:talk-bounces at] On
Behalf Of Chris Shiflett
Sent: Friday, November 28, 2008 3:47 PM
To: NYPHP Talk
Subject: Re: [nycphp-talk] User Input Data scrubbing

On Nov 28, 2008, at 15:26, Elijah Insua wrote:

> Html/Cross Site Scripting is more along the lines of what you are  
> talking about.  There are tons of libraries out there that attempt  
> to kill off as many of these as possible.

The best one of these happens to be written in PHP:

If your needs are extremely simple, HTML Purifier might be more than  
you need, in which case a simple solution like this might work:

Hope that helps.


Chris Shiflett
New York PHP User Group Community Talk Mailing List

More information about the talk mailing list