Then I guess it depends -- do you want to filter out all html, or allow html-like content to be displayed back to your users (escaped, of course)?
Personally I prefer the latter because it allows users to write something like "Strong tags look like this: <strong>content</strong>" The users will see the actual HTML instead of it being stripped or rendered. If you're only concerned about XSS then escaping should be fine -- as long as you remember to escape it whenever it can be evaluated by a parser. -- *Hector Virgen* Sr. Web Developer Walt Disney Parks and Resorts Online http://www.virgentech.com On Mon, Oct 25, 2010 at 11:04 AM, robert mena <robert.m...@gmail.com> wrote: > Hi Hector, > > Thanks for your reply. > > If I recall the 'general' advice should be filter input and escape output. > I am looking for the filter part right now. > > > On Mon, Oct 25, 2010 at 12:39 PM, Hector Virgen <djvir...@gmail.com>wrote: > >> If HTML is not allowed, it's better to escape the value instead of strip >> out content that resembles HTML. >> >> -- >> *Hector Virgen* >> Sr. Web Developer >> Walt Disney Parks and Resorts Online >> http://www.virgentech.com >> >> >> >> On Mon, Oct 25, 2010 at 9:29 AM, robert mena <robert.m...@gmail.com>wrote: >> >>> Hi, >>> >>> I'd like to know if is it safe to filter XSS use Zend_Filter_Tags if none >>> of >>> my fields is supposed to receive any HTML. >>> >>> I read somewhere (at padraic's blog?) that for more sophisticated >>> filtering >>> (like allowing certain tags/attributes) Zend_Filter_Tags is not the >>> option. >>> >>> Regards. >>> >> >> >
