-- robert mena <robert.m...@gmail.com> wrote
(on Monday, 25 October 2010, 03:39 PM -0400):
> In my case I'd like to have control over this. In most cases (like regular
> form variables/GET/hidden) I'd like to remove ALL html. Some fields (a few
> where I allow - via tinyMCE) should allow some tags to be used - like the
> strong.
In the "most cases" situation, simply escape() the content in your view:
echo $this->escape($this->content);
For the areas where you want to allow some tags, more below:
> In a more recent blog (
> http://blog.astrumfutura.com/2010/08/html-sanitisation-the-devils-in-the-details-and-the-vulnerabilities/)
> I was inclined to use HTMLPurifier despite it's performance "problem".
> But it does not address my general filtering problem.
>
> Can Zend_Filter_Tags help with that?
First, some terminology: while the component is called "Zend_Filter",
that should not limit it to the "filter input" portion of the security
mantra. Filters are used to transform input according to defined rules,
and as such can be used for either sanitisation of input or escaping of
output. Output should be escaped based on the context -- for the web,
you want to escape in such a fashion that the content returned is valid
HTML markup, and does not introduce security vectors such as XSS; for
plain text, you might want to strip tags entirely; for PDF, you may want
to parse the HTML into PDF markup.
In general, "filtering" in the security sense is screening the input to
determine if it's safe or not -- something that the various classes
under Zend_Validate are very good at. "Filter input" can also apply to
input normalisation, however, which brings us to the next point.
Zend_Filter_StripTags is intended to strip HTML tags and/or specific tag
attributes. It can be used either when you receive the input, or when
you're sending output. However, it's a poor solution when it comes to
security -- you're much better off using HTMLPurifier at this time. In
order to help with the performance issues, in this case I'd run the
content through HTMLPurifier as you receive the input -- that way you're
only invoking it once, instead of on every view in which the content may
be displayed. As such, it would fall under the "input normalisation"
aspect of "filter input".
Since you would be sanitising the content before persisting it, you
would only need to escape the content when renderering if you don't want
to render HTML content.
> On Mon, Oct 25, 2010 at 2:12 PM, Hector Virgen <djvir...@gmail.com> wrote:
>
> > Then I guess it depends -- do you want to filter out all html, or allow
> > html-like content to be displayed back to your users (escaped, of course)?
> >
> > Personally I prefer the latter because it allows users to write something
> > like "Strong tags look like this: <strong>content</strong>"
> >
> > The users will see the actual HTML instead of it being stripped or
> > rendered.
> >
> > If you're only concerned about XSS then escaping should be fine -- as long
> > as you remember to escape it whenever it can be evaluated by a parser.
> >
> >
> > --
> > *Hector Virgen*
> > Sr. Web Developer
> > Walt Disney Parks and Resorts Online
> > http://www.virgentech.com
> >
> >
> >
> > On Mon, Oct 25, 2010 at 11:04 AM, robert mena <robert.m...@gmail.com>wrote:
> >
> >> Hi Hector,
> >>
> >> Thanks for your reply.
> >>
> >> If I recall the 'general' advice should be filter input and escape output.
> >> I am looking for the filter part right now.
> >>
> >>
> >> On Mon, Oct 25, 2010 at 12:39 PM, Hector Virgen <djvir...@gmail.com>wrote:
> >>
> >>> If HTML is not allowed, it's better to escape the value instead of strip
> >>> out content that resembles HTML.
> >>>
> >>> --
> >>> *Hector Virgen*
> >>> Sr. Web Developer
> >>> Walt Disney Parks and Resorts Online
> >>> http://www.virgentech.com
> >>>
> >>>
> >>>
> >>> On Mon, Oct 25, 2010 at 9:29 AM, robert mena <robert.m...@gmail.com>wrote:
> >>>
> >>>> Hi,
> >>>>
> >>>> I'd like to know if is it safe to filter XSS use Zend_Filter_Tags if
> >>>> none of
> >>>> my fields is supposed to receive any HTML.
> >>>>
> >>>> I read somewhere (at padraic's blog?) that for more sophisticated
> >>>> filtering
> >>>> (like allowing certain tags/attributes) Zend_Filter_Tags is not the
> >>>> option.
> >>>>
> >>>> Regards.
> >>>>
> >>>
> >>>
> >>
> >
--
Matthew Weier O'Phinney
Project Lead | matt...@zend.com
Zend Framework | http://framework.zend.com/
PGP key: http://framework.zend.com/zf-matthew-pgp-key.asc
