+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: HTML purifier vs Global XSS filtering (/showthread.php?tid=32303)
HTML purifier vs Global XSS filtering - El Forum - 07-19-2010
[eluser]Flynn[/eluser]
I don't know if such a topic already exists. Anyway, how good is default xss filtering if to compare in against HTML purifier. Will xss filtering be able to remove malicious code (i checked, usually it can), close open html tags, etc. as good as HTML purifier?
Thanks.
HTML purifier vs Global XSS filtering - El Forum - 07-19-2010
[eluser]Buso[/eluser]
I think XSS is for javascript removal
If someone injects </div> in your site, or a giant link to a spam site, it doesn't count as XSS, but it will still break your site.
So you should always htmlentities() any user generated content, or strip_tags().
HTML purifier vs Global XSS filtering - El Forum - 07-19-2010
[eluser]Flynn[/eluser]
Well, xss does some cleaning besides js removal too. Closes tags and stuff, still, i think i'm gonna rewrite it a bit for more functionality.
Thanks.