Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
I can't fix that. I'm using the DOM extension to parse the HTML, so if it ordains that <<img is invalid, so be it. It's not like no output stops it from validating.
I, however, do have a native PHP lexer implemented for PHP 4. That probably would handle the malformed HTML correctly.
Nope. (note that this package is also in PEAR as HTML_Safe). Ivanov's package does blacklist filtering (flawed by design), and doesn't guarantee validation. I do whitelist filtering and guarantee validation.
Well... I'm wondering how many features I should tack on before releasing the beta.
Default behavior now drops invalid tags. More CSS properties supported, basically everything you need except text-decoration. Fixed attack that could crash operating systems (ever heard of the <img width="999999" height="999999" /> exploit?) Did some optimization to make code run a lot faster.
If you've got time on your hands and don't mind having to reboot your computer, remove the spaces and browse to that page. If you're running Opera or a non-Windows OS, it probably won't affect you. But Windows + IE/Firefox + Imagecrash = Blue Screen of Death.
Hmm... you must have a savvy video card or automatic image resizing enabled. The last time I saw a BSOD was about a year and a half ago, except when I pressed that link and ::crash:: Very fun. :-/
If you've got time on your hands and don't mind having to reboot your computer, remove the spaces and browse to that page. If you're running Opera or a non-Windows OS, it probably won't affect you. But Windows + IE/Firefox + Imagecrash = Blue Screen of Death.
Windows XP Pro SP2 + FireFox is fine on that website.
Froze FF for about 4 seconds though. Dunno if video card/spec makes any difference (6600GT 128mb, AMD64 3200+, 1.5gb RAM).