|
Filtering User Input for XSS with PHP |
|
|
|
|
Written by Administrator
|
|
Friday, 22 June 2007 |
|
I've been building some web apps that rely on integrated WYSIWYG text editors for user input, which is something that is typically very dangerous to do in a secure application. Fortunately, I discovered an amazing PHP library, written by Edward Z. Yang, called HTML Purifier , which will take html input, parse its node structure and break it into tokens, validate and correct any nodes according to the relevant RFC definitions, then spits out safe, standards-compliant XHTML which can be used anywhere without fear that some 13-year-old Russian kid found a way to sneak some malicious javascript through your filters. Of course, if you want your users to be able to add specific bits of javascript code to a page, HTML Purifier can be easily extended with plugins to allow your custom code to pass through unaffected. In just a few minutes I was able to use their example YouTube video plugin to write my own filter that will let FlashObject code pass safely through the filters. Unfortunately the developer doesn't have a donation page so I couldn't send him money, but he said that just spreading the word would suffice for now, so consider the word officially spread.
|
|
Last Updated ( Saturday, 23 June 2007 )
|
