PHP Input Filter Class

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Technocrat
Forum Contributor
Posts: 127
Joined: Thu Oct 20, 2005 7:01 pm

PHP Input Filter Class

Post by Technocrat »

I was wondering if anyone had any feed back on this php input filter class. We are playing with it to stop XSS code, and to strip HTML tags from places they should not be. So far we have had great luck with it. I was wondering if anyone else had anything to say about it.

http://www.cyberai.com/inputfilter
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

Is there a code download link?
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

Got it now - I had js turned off.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Very impressive. A stack based parser... I've noodled around these for a long time, so I'm glad to see a class that implements it.

However, the design of the parser is fundamentally flawed. It assumes that it's possible to correct HTML simply by doing a bunch of processing hacks to it. You will only achieve near-security by *understanding* the specification and then whitelisting accordingly.

It's very effective, however, for being such a lightweight class, and I'll keep my eye on it. However, I'm fairly certain that there are workarounds, and furthermore, the HTML it outputs is not necessarily well-formed (for instance, it lets people put block level tags inside inline tags), it's only as good as the tags it allows (don't rely on blacklisting) so be careful!
Post Reply