Comments on: Cleaning up your inputs

By: Aship De

Aship De — Sat, 02 Feb 2008 21:40:12 +0000

Try htmLawed. Besides filtering admin-specified HTML tags, attributes, etc., it can also balance and properly nest HTML tags, transform deprecated tags and attributes, and so on.

By: vinu

vinu — Fri, 09 Mar 2007 04:02:33 +0000

Yep. I now use Zend_Filter. I’d written this before I discovered Zend Framework

By: Gustav

Gustav — Thu, 08 Mar 2007 06:52:30 +0000

Interesting and useful article.
At the moment I’m on the mission to find me a very good (if not the best) input cleaner.
phpclasses.org’s “PHP Input Filter” class is not perfect, it haves some flaws and is outdated. Check this article: http://devzone.zend.com/node/view/id/1752 . Especially read the comments.

By: mk

mk — Tue, 19 Sep 2006 01:12:07 +0000

Wouldn’t the strip_tags function have a very similar effect, except for the fact that you can only strip either all tags or leave in specified ones? IMO strip_tags could be a little better since it is a good idea to remove all tags anyway except for the ones you really, really need.

http://us3.php.net/manual/en/function.strip-tags.php

By: maqs

maqs — Sat, 22 Jul 2006 06:44:10 +0000

Wow! thats wat i can say…… waiting for second part of it…..

Cheers!

By: zean.no-ip.info » Cleaning up your inputs - PHP

zean.no-ip.info » Cleaning up your inputs - PHP — Sat, 08 Jul 2006 00:53:40 +0000

[...] (more…) [...]

By: vinu

vinu — Wed, 05 Jul 2006 02:59:09 +0000

Hey Dave,
The XSS workshop you’ve setup is real cool !

By: Dave

Dave — Tue, 04 Jul 2006 09:50:25 +0000

Sry, my tags where stripped
Here the same again:

Don’t forget the event handlers.
Maybe you would do something like:

Search again:

What do you think happens if the user_input is:
myvalue�? onclick=�?javascript:alert(’xss’)>

It becomes:

Didn’t check if there’s anything the Input Filter Class does with those strings.

Additionally, I finished a small XSS-Workshop today: http://www.blogged-on.de/xss

It’s worth looking…

By: Dave

Dave — Tue, 04 Jul 2006 09:48:25 +0000

Don’t forget the event handlers.
Maybe you would do something like:

Search again:

What do you think happens if the user_input is:
myvalue” onclick=”javascript:alert(‘xss’)>

Didn’t check if there’s anything the Input Filter Class does with those strings.

Additionally, I finished a small XSS-Workshop today: http://www.blogged-on.de/xss

It’s worth looking…

By: vinu

vinu — Tue, 04 Jul 2006 03:01:46 +0000

Thanks for the headsup Stefan. I may write up a second part of this article which deals with how to use the Zend_Filter_Input class.

By: stefan

stefan — Mon, 03 Jul 2006 13:43:11 +0000

I would like to recommend also looking into the Zend_Filter_Input class of the Zend Framework: http://framework.zend.com/manual/en/zend.filter.input.html

Very useful, very solid code, from THE person that focusses on secure PHP programming.