• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
HTML purifier vs Global XSS filtering

#1
[eluser]Flynn[/eluser]
I don't know if such a topic already exists. Anyway, how good is default xss filtering if to compare in against HTML purifier. Will xss filtering be able to remove malicious code (i checked, usually it can), close open html tags, etc. as good as HTML purifier?

Thanks.

#2
[eluser]Buso[/eluser]
I think XSS is for javascript removal

If someone injects </div> in your site, or a giant link to a spam site, it doesn't count as XSS, but it will still break your site.

So you should always htmlentities() any user generated content, or strip_tags().

#3
[eluser]Flynn[/eluser]
Well, xss does some cleaning besides js removal too. Closes tags and stuff, still, i think i'm gonna rewrite it a bit for more functionality.
Thanks.


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.