NYCPHP Meetup

NYPHP.org

[nycphp-talk] Injection Attack, any ideas?

Rob Marscher rmarscher at beaffinitive.com
Mon Nov 12 16:26:54 EST 2007


On Nov 12, 2007, at 1:25 PM, Dan Cech wrote:
> The fact that your example demonstrates the proper approach (using  
> html
> escaping to display the user data) rather than 'scrubbing and  
> cleaning'
> the input makes this advice even more confusing.

If you need to allow user input of html, HTMLPurifier is pretty nice  
to get rid of the possible XSS attack - http://htmlpurifier.org/

But it's expensive to escape it every time someone views the page.   
Therefore, it's recommended to filter it on input but store the  
filtered version in a separate column in the database from the input  
directly from the user (in case the filter causes unexpected data loss  
from malformed html).




More information about the talk mailing list