(07-17-2016, 12:48 PM)pb.sajjad Wrote: - I can validate inputs (SCENARIO 1) with form validation library while accepting data via form submitting. If they are valid, insert them into database. When I read these values to send as HTML output, I must validate via PHP built-in functions like intval, filter_var or..., if they passed validations (validating inputs is done), now with xss_clean or HTML Purifier, I escape them and finally echo them in view file and send them to user browser, right?
You can use the form validation library in both directions if you wish, it's just more limited in its usefulness (and requires more work) when you're using it without a form. You can also use built-in and custom functions in combination with the form validation library in either situation. Remember that in both cases, you need to also escape your output for the appropriate context (escape it for insertion into the database and escape it for display as HTML). Escaping for the database is usually much simpler than escaping for display as HTML, but the results of doing so incorrectly (or not doing so) can be devastating.
Quote:- In SCENARIO 2 (that I've HTML tags), the validation is not simple. so I use HTML Purifier and then store them into database. In this case when I want to output them as HTML, should I use HTML Purifier again? Or store them without HTML Purifier and when I output them, use it?
HTML Purifier is not used for validation, and using it on data that is to be stored in the database is usually not a good idea. I previously linked to a page in HTML Purifier's documentation which describes the way this should be done, if at all, and the limitations of doing so. If you do run the content through HTML Purifier before storing it, you shouldn't be running it through HTML Purifier again, but you should store the original input, as well, and have some method of re-processing the original input as needed (for example, in case a bug is found in HTML Purifier and you need to make sure your content is safe).
If you are pre-processing the data, you should look into methods of validating that the data you retrieved from the database is the same data you stored after processing. Otherwise, you can't trust the data and will need to run it through HTML Purifier, which defeats the purpose of pre-processing it.
Also, I would never assume that I know where the data came from. I don't know if it came from the database, was generated by the database/model, etc. Maybe I know these things when I initially wrote the code, but someone could pass input to the same code from a different source, or someone could modify the database to corrupt the data which the database/model initially generated. By not making an assumption about where the code comes from, you allow yourself to not only write safer code, but also more flexible code, because you can safely pass data to it from other sources. Just thinking about that possibility can also make it easier to make good design decisions about your code earlier in the process.
Quote:- Both of users that replied to this question, do not say clearly xss_clean is better or HTML Purifier (as third party)! When I use xss_clean, if there is an <script> tag, it will print [removed], and HTML Purifier remove it.
I would usually use HTML Purifier only when I expect HTML, especially in a relatively large field in the data, but it's still acceptable to use xss_clean() in that case. I would not use HTML Purifier on any field in which I do not expect HTML, but I would probably still use xss_clean(), unless I had a specific reason not to do so. In cases where I use neither, I would probably still use html_escape() or some other appropriate method of escaping the field(s) before output.
If I am not outputting the data in the body of an HTML page, I would never use xss_clean(), and whether I would use HTML Purifier would depend on the configuration and the destination of the data.
Quote:- One more thing is I, as admin, write posts with full of tags. In this case, I use <script> tags and must be there. How could I handle this? When I use xss_clean or HTML Purifier, they removed <script>! What should I do?
Don't do that. It's a bad answer, but what you're doing is a bad practice. Look at what many CSS/JavaScript frameworks have been doing for some time now. You can make your scripts target classes and data attributes in your markup. Then your scripts are included in your site's footers and you just add the appropriate attributes/values to your markup. If you have some bigger scripts which are used less often, you can add fields to your data to indicate whether those scripts should be included.
