tags:

views:

156

answers:

1
Q: 

XSS Prevention, Tidy vs Purifier?

Greetings,

I'm trying to prevent XSS and improper html from input fields using CKEditor (a javascript WYSIWYG editor).

How should I filter this data on the server side? The two options I'm comparing are PHP Tidy and HTML Purifier. I'm interested in speed, security, and valid nesting.

Edit:

According to HTML Purifier, Tidy does not prevent XSS. So, let me specify that I would first pass the user input through

strip_tags($input,'<img><a><li><ol><ul><b><br>'); before passing to Tidy

+1  A: 

HTML Purifier restricts the input beyond what strip_tags can. strip_tags would not strip JavaScript from the attributes of the tags you are allowing. I definitely recommend using HTML Purifier. HTML Purifier is not fast, but add/edit executions are usually less frequent than views so performance is less of an issue.

Sonny  2010-07-06 20:34:32
Also, HTML Purifier is a one-stop-shop, so you don't need to pass the code to Tidy afterward.
Sonny  2010-07-14 19:05:16
Just found this comparison, and it mentions `strip_tags` and Tidy. http://htmlpurifier.org/comparison
Sonny  2010-07-14 19:08:10

related questions

Why does this remote script cause IE6 to hang?
HTTP input filter like mod_security for WebSphere?
Should I sanitize HTML markup for a hosted CMS?
HTML/Javascript app that runs on the filesystem, security issue
Gracefully closing a frame (toolbar) around an iframe
What's the best method for sanitizing user input with PHP?
How do you htmlencode using html agility pack?
XSS Blacklist - Is anyone aware of a reasonable one?
Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
What percentage of my time will be spent in user input verfication during web development?
How do you allow the usage of an <img> while preventing XSS?
What are the best practices for avoid xss attacks in a PHP site
How do use fckEditor safely, without risk of cross site scripting?
Will HTML Encoding prevent all kinds of XSS attacks?
Inform potential clients about security vulnerabilities?
Best Practice: Legitimate Cross-Site Scripting
Access to restricted URI denied code: 1012
How do you set up use HttpOnly cookies in PHP
When is it Best to Sanitize User Input?
How exactly do you configure httpOnlyCookies in ASP.NET?
How do you configure HttpOnly cookies in tomcat / java webapps?
Communicating between websites (using Javascript or ?)
Best regex to catch XSS (Cross-site Scripting) attack (in Java)?
Sanitising user input using Python
Catching SQL Injection and other Malicious Web Requests