[nycphp-talk] Validating/cleaning/scrubbing
csnyder
chsnyder at gmail.com
Sat Oct 1 12:23:58 EDT 2005
On 9/30/05, Stephen Musgrave <stephen at musgrave.org> wrote:
>
> Given Tuesday's presentation by Chris Shiflett (thanks, Chris!), I have
> been thinking more about security and am wondering if there are any
> classes out there that people are using that the trust and can
> recommend? Any comments about PHP Input Filter?
>
> PHP Input Filter (linked the PHP Security Consortium web site)
> http://cyberai.com/inputfilter/
>
The blacklist in PHP Input Filter doesn't include the style attribute,
which can be used in a whole class of XSS attacks that involve
obscuring a page's real content with content of an attacker's
choosing.
Of course, stripping the style attribute will also break some of the
markup generated by most WYSIWYG html editors, so perhaps that's a
necessary compromise? It seems easy enough to ask it to strip style
attributes on demand.
--
Chris Snyder
http://chxo.com/
More information about the talk
mailing list