XSS attacks and cleansing user entered data

[eluser]mikegioia[/eluser]
Hi everyone -

I'm sure this topic has been gone over before, but I was wondering what everyone does to handle user entered data. For example, I have a site where users can save notes and the notes get displayed on the page.

Does it make sense to run all input (like POST) through the XSS filter, and then save it to the database?

When displaying any user saved content, should I be echoing out the content through htmlentities()?

Instead of echoing out everything through htmlentities() should I instead store it in the database, htmlentities() encoded?

Or is there some other alternative. Because right now users can add HTML, javascript, anything and its executing on my page.

I'd appreciate any help you may have on this,
Mike

[eluser]George Petsagourakis[/eluser]
Have you noticed this ?
http://ellislab.com/codeigniter/user-gui...input.html

XSS filtering included!

[eluser]mikegioia[/eluser]
Yea I had seen that and used it a little bit, but I thought that it might be too much overhead to run on all POST data. Perhaps I'll give that a try though and maybe see if there are any performance hits.

[eluser]mikegioia[/eluser]
I just ran it and while it will remove any cross site scripting, the XSS Filter still lets HTML tags through. So right now I'm passing data through like this:

Code:

$data = htmlentities($this->input->xss_clean($data));

That looks very ugly, and I'm wondering if the same can be accomplished with just the htmlentities? Also, what exactly is XSS Clean stripping from the data?

[eluser]xwero[/eluser]
mostly javascript code because that is the most dangerous. Tags aren't considered to be a risk because they have a legitimate use.
If you don't want users to input tags the php function strip_tags is a faster way to prevent xss attacks but then you also should check if the javascript code isn't inserted using entities.

Code:

$data = strip_tags(html_entity_decode($_POST['data'],ENT_QUOTES));