Are you sure about handling SECURITY?! |
(07-17-2016, 04:00 PM)PaulD Wrote: Hi again, Greeting to you.. You mean using HTML Purifier or XSS_Clean is a trade off, right? first are better, but it is third party, and doing operation while it is time consuming. about xss_clean and "If anything disallowed is encountered it is rendered safe by converting the data to character entities." when I test it, as I said before, if there was a <script> element in the filed (a post), it do not print it like <script>, instead print [removed]! Quote:I do not think anyone would propose using it on a name field for a form. My main problem is about posts that will shown to user and is full of tags, not a name field. As @mwhitney mentioned and said to a user, we could not rely on database data and it is untrusted. thanks a lot. |
Messages In This Thread |
Are you sure about handling SECURITY?! - by pb.sajjad - 07-15-2016, 06:52 AM
RE: Are you sure about handling SECURITY?! - by PaulD - 07-15-2016, 07:13 AM
RE: Are you sure about handling SECURITY?! - by mwhitney - 07-15-2016, 10:19 AM
RE: Are you sure about handling SECURITY?! - by pb.sajjad - 07-17-2016, 12:48 PM
RE: Are you sure about handling SECURITY?! - by mwhitney - 07-18-2016, 01:38 PM
RE: Are you sure about handling SECURITY?! - by PaulD - 07-17-2016, 01:22 PM
RE: Are you sure about handling SECURITY?! - by pb.sajjad - 07-17-2016, 02:46 PM
RE: Are you sure about handling SECURITY?! - by PaulD - 07-17-2016, 04:00 PM
RE: Are you sure about handling SECURITY?! - by pb.sajjad - 07-18-2016, 03:27 AM
|