brettbrewer.com

Programming + Design

Home
Filtering User Input for XSS with PHP PDF Print E-mail
Written by Brett Brewer   
Friday, 22 June 2007
I've been building some web apps that rely on integrated WYSIWYG text editors for user input, which is something that is typically very dangerous to do in a secure application. Fortunately, I discovered an amazing PHP library, written by Edward Z. Yang, called HTML Purifier , which will take html input, parse its node structure and break it into tokens, validate and correct any nodes according to the relevant RFC definitions, then spits out safe, standards-compliant XHTML which can be used anywhere without fear that some 13-year-old Russian kid found a way to sneak some malicious javascript through your filters. Of course, if you want your users to be able to add specific bits of javascript  code to a page, HTML Purifier can be easily extended with plugins to allow your custom code to pass through unaffected. In just a few minutes I was able to use their example YouTube video plugin to write my own filter that will let FlashObject code pass safely through the filters. Unfortunately the developer doesn't have a donation page so I couldn't send him money, but he said that just spreading the word would suffice for now, so consider the word officially spread. 
Last Updated ( Saturday, 23 June 2007 )
 
< Prev

Search

Who's Online

We have 1 guest online

© 2017 www.brettbrewer.com
Joomla! is Free Software released under the GNU/GPL License.