I was wondering if anyone had any feed back on this php input filter class. We are playing with it to stop XSS code, and to strip HTML tags from places they should not be. So far we have had great luck with it. I was wondering if anyone else had anything to say about it.
http://www.cyberai.com/inputfilter
PHP Input Filter Class
Moderator: General Moderators
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
Very impressive. A stack based parser... I've noodled around these for a long time, so I'm glad to see a class that implements it.
However, the design of the parser is fundamentally flawed. It assumes that it's possible to correct HTML simply by doing a bunch of processing hacks to it. You will only achieve near-security by *understanding* the specification and then whitelisting accordingly.
It's very effective, however, for being such a lightweight class, and I'll keep my eye on it. However, I'm fairly certain that there are workarounds, and furthermore, the HTML it outputs is not necessarily well-formed (for instance, it lets people put block level tags inside inline tags), it's only as good as the tags it allows (don't rely on blacklisting) so be careful!
However, the design of the parser is fundamentally flawed. It assumes that it's possible to correct HTML simply by doing a bunch of processing hacks to it. You will only achieve near-security by *understanding* the specification and then whitelisting accordingly.
It's very effective, however, for being such a lightweight class, and I'll keep my eye on it. However, I'm fairly certain that there are workarounds, and furthermore, the HTML it outputs is not necessarily well-formed (for instance, it lets people put block level tags inside inline tags), it's only as good as the tags it allows (don't rely on blacklisting) so be careful!