Filtering user input - do I need to filter HTML?

Question

Filtering user input - do I need to filter HTML?

Note. I will make sure that SQL injection and output are done elsewhere - this question only concerns input filtering, thanks.

I am reorganizing user input filtering functions. Before passing the GET / POST parameter to a type filter with filter_var (), I do the following:

check the encoding of the mb_detect_encoding () parameter
convert to UTF-8 with iconv () (with // IGNORE) if it is not ASCII or UTF-8
blank spaces with a function found at GnuCitizen.org
pass result through strip_tags () - no tags are allowed at all, Markdown only

Now the question is: does it make sense to pass the parameter to a filter, for example htmLawed or HTML Purifier , or can I consider the input safe? It seems to me that the two differ mainly in the detailing of the valid HTML elements and attributes (which do not interest me since I delete everything), but htmLawed docs has a section on dangerous characters , which suggests that there may be a reason to use it. In this case, what would it be a reasonable configuration for?

+5

security php validation user-input

djn Feb 21 '10 at 9:19

source share

2 answers

, , , , html .

0

Gabriel 21 . '10 9:49

rook · Accepted Answer · 2010-02-21T22:16:31+0000

XSS, . , , , - , . XSS * wapiti.

, strip_tags(), html- javascript! htmlspecialchars($var,ENT_QUOTES);.

, xss:

print('<A HREF="http://www.xssed.com/'.strip_tags($_REQUEST[xss]).'">link</a>');

< > javascript , onmouseover, :

$_REQUEST[xss]='" onMouseOver="alert(/xss/)"';

ENT_QUOTES , XSS.

* /.

Filtering user input - do I need to filter HTML?

More articles: