[nycphp-talk] Injection Attack, any ideas?
Rob Marscher
rmarscher at beaffinitive.com
Mon Nov 12 16:26:54 EST 2007
On Nov 12, 2007, at 1:25 PM, Dan Cech wrote:
> The fact that your example demonstrates the proper approach (using
> html
> escaping to display the user data) rather than 'scrubbing and
> cleaning'
> the input makes this advice even more confusing.
If you need to allow user input of html, HTMLPurifier is pretty nice
to get rid of the possible XSS attack - http://htmlpurifier.org/
But it's expensive to escape it every time someone views the page.
Therefore, it's recommended to filter it on input but store the
filtered version in a separate column in the database from the input
directly from the user (in case the filter causes unexpected data loss
from malformed html).
More information about the talk
mailing list
Automatic Email Organization without missing anything!