Re: strip_tags - HTML tag stripper

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

• Subject: Re: strip_tags - HTML tag stripper
• From: "troels knak-nielsen" <troelskn@...>
• Date: 2008年4月22日 10:27:29 +0200

---

On Tue, Apr 22, 2008 at 9:54 AM, Jim Whitehead II <jnwhiteh@gmail.com> wrote:
> I was not advocating a blacklist versus a whitelist, since a whitelist
> is obviously more secure. This is actually what yuri's xssfilter
> library provides, and it seems to do a very solid job. That being
> said, I will look into htmlpurifier but it being a pure PHP solution
> makes it much less useful to me directly.
I mostly mentioned HtmlPurifier as a counter to strip_tags. Obviously,
it's of little use together with Lua.
I always get a little uneasy, whenever people talk about filtering
HTML. Mind you, there are situations where that's the only thing to
do, but generally speaking, you have a security problem, the moment
you let the user supply data, that you are going to display directly.
Filtering helps, but it's fundamentally a flawed solution. Just my 2€.
--
troels

---

• References:
  • strip_tags - HTML tag stripper, Jim Whitehead II
  • Re: strip_tags - HTML tag stripper, Bertrand Mansion
  • Re: strip_tags - HTML tag stripper, troels knak-nielsen
  • Re: strip_tags - HTML tag stripper, Jim Whitehead II

• Prev by Date: Re: strip_tags - HTML tag stripper
• Next by Date: Re: Lua and Google Summer of Code
• Previous by thread: Re: strip_tags - HTML tag stripper
• Next by thread: Re: strip_tags - HTML tag stripper
• Index(es):
  • Date
  • Thread