Page 1 of 1
PHP Input Filter Class
Posted: Thu Oct 20, 2005 8:22 pm
by Technocrat
I was wondering if anyone had any feed back on this php input filter class. We are playing with it to stop XSS code, and to strip HTML tags from places they should not be. So far we have had great luck with it. I was wondering if anyone else had anything to say about it.
http://www.cyberai.com/inputfilter
Posted: Sat Oct 22, 2005 11:43 am
by McGruff
Is there a code download link?
Posted: Sat Oct 22, 2005 11:53 am
by McGruff
Got it now - I had js turned off.
Posted: Sat Oct 22, 2005 12:53 pm
by Ambush Commander
Very impressive. A stack based parser... I've noodled around these for a long time, so I'm glad to see a class that implements it.
However, the design of the parser is fundamentally flawed. It assumes that it's possible to correct HTML simply by doing a bunch of processing hacks to it. You will only achieve near-security by *understanding* the specification and then whitelisting accordingly.
It's very effective, however, for being such a lightweight class, and I'll keep my eye on it. However, I'm fairly certain that there are workarounds, and furthermore, the HTML it outputs is not necessarily well-formed (for instance, it lets people put block level tags inside inline tags), it's only as good as the tags it allows (don't rely on blacklisting) so be careful!