-- robert mena <robert.m...@gmail.com> wrote (on Monday, 25 October 2010, 03:39 PM -0400): > In my case I'd like to have control over this. In most cases (like regular > form variables/GET/hidden) I'd like to remove ALL html. Some fields (a few > where I allow - via tinyMCE) should allow some tags to be used - like the > strong.
In the "most cases" situation, simply escape() the content in your view: echo $this->escape($this->content); For the areas where you want to allow some tags, more below: > In a more recent blog ( > http://blog.astrumfutura.com/2010/08/html-sanitisation-the-devils-in-the-details-and-the-vulnerabilities/) > I was inclined to use HTMLPurifier despite it's performance "problem". > But it does not address my general filtering problem. > > Can Zend_Filter_Tags help with that? First, some terminology: while the component is called "Zend_Filter", that should not limit it to the "filter input" portion of the security mantra. Filters are used to transform input according to defined rules, and as such can be used for either sanitisation of input or escaping of output. Output should be escaped based on the context -- for the web, you want to escape in such a fashion that the content returned is valid HTML markup, and does not introduce security vectors such as XSS; for plain text, you might want to strip tags entirely; for PDF, you may want to parse the HTML into PDF markup. In general, "filtering" in the security sense is screening the input to determine if it's safe or not -- something that the various classes under Zend_Validate are very good at. "Filter input" can also apply to input normalisation, however, which brings us to the next point. Zend_Filter_StripTags is intended to strip HTML tags and/or specific tag attributes. It can be used either when you receive the input, or when you're sending output. However, it's a poor solution when it comes to security -- you're much better off using HTMLPurifier at this time. In order to help with the performance issues, in this case I'd run the content through HTMLPurifier as you receive the input -- that way you're only invoking it once, instead of on every view in which the content may be displayed. As such, it would fall under the "input normalisation" aspect of "filter input". Since you would be sanitising the content before persisting it, you would only need to escape the content when renderering if you don't want to render HTML content. > On Mon, Oct 25, 2010 at 2:12 PM, Hector Virgen <djvir...@gmail.com> wrote: > > > Then I guess it depends -- do you want to filter out all html, or allow > > html-like content to be displayed back to your users (escaped, of course)? > > > > Personally I prefer the latter because it allows users to write something > > like "Strong tags look like this: <strong>content</strong>" > > > > The users will see the actual HTML instead of it being stripped or > > rendered. > > > > If you're only concerned about XSS then escaping should be fine -- as long > > as you remember to escape it whenever it can be evaluated by a parser. > > > > > > -- > > *Hector Virgen* > > Sr. Web Developer > > Walt Disney Parks and Resorts Online > > http://www.virgentech.com > > > > > > > > On Mon, Oct 25, 2010 at 11:04 AM, robert mena <robert.m...@gmail.com>wrote: > > > >> Hi Hector, > >> > >> Thanks for your reply. > >> > >> If I recall the 'general' advice should be filter input and escape output. > >> I am looking for the filter part right now. > >> > >> > >> On Mon, Oct 25, 2010 at 12:39 PM, Hector Virgen <djvir...@gmail.com>wrote: > >> > >>> If HTML is not allowed, it's better to escape the value instead of strip > >>> out content that resembles HTML. > >>> > >>> -- > >>> *Hector Virgen* > >>> Sr. Web Developer > >>> Walt Disney Parks and Resorts Online > >>> http://www.virgentech.com > >>> > >>> > >>> > >>> On Mon, Oct 25, 2010 at 9:29 AM, robert mena <robert.m...@gmail.com>wrote: > >>> > >>>> Hi, > >>>> > >>>> I'd like to know if is it safe to filter XSS use Zend_Filter_Tags if > >>>> none of > >>>> my fields is supposed to receive any HTML. > >>>> > >>>> I read somewhere (at padraic's blog?) that for more sophisticated > >>>> filtering > >>>> (like allowing certain tags/attributes) Zend_Filter_Tags is not the > >>>> option. > >>>> > >>>> Regards. > >>>> > >>> > >>> > >> > > -- Matthew Weier O'Phinney Project Lead | matt...@zend.com Zend Framework | http://framework.zend.com/ PGP key: http://framework.zend.com/zf-matthew-pgp-key.asc