tags:

views:

83

answers:

3
+1  Q: 

Confused about StripTags filter

I'm a little confused about the StripTags filter as used in Zend. I think it's meant to strip tags that could result in XSS. So shouldn't that mean it should be used when outputting data in the views? I've seen it being used with form inputs 

->addFilter('StripTags')

Should it be used with both input in the forms and output in the views, or does it work by filtering the data before it even enters the database (in which case that wouldn't be a good idea).

A: 

StripTags is used with output in the views. Note, that displaying text in editable field(such as textarea) is actually still an "output in the view". Data should not be preprocessed/transformed before entering the database.

Levon Mirzoyan  2010-10-11 08:55:14
+2  A: 

Not so much a direct answer to your question and more an alternative approach.

In the blog post "HTML Sanitisation: The Devil's In The Details (And The Vulnerabilities)", Padraic Brady discusses HTML sanitisation and various components for doing it. He expresses significant concerns about the use of the StripTags filter for that purpose.

HTMLPurifier seems to be a better choice.

David Weinraub  2010-10-11 12:05:53
Nice find. Padraic always comes up with good stuff. I do agree that HTMLPurifier is the best outside of zend so I hope the proposal he's talking about makes it through to zend 2, coz I've got a feeling stripTags has a flawed implementation underneath.. though that question itself is still open for answering.
jblue  2010-10-11 12:50:27
Right, it's still a valid question, one that I kind of sidestepped. Thanks for not taking me to task on it. And for what I assume are your upvotes. ;-)
David Weinraub  2010-10-11 13:11:31
Helpful answers deserve the upvote man, it's a little thank you for bothering to help.
jblue  2010-10-11 13:58:18
Roger that. ;-)
David Weinraub  2010-10-11 15:00:30
A: 

The strip tag filter will not occur unless you explicitly call it through 

$stripedValue = $form->getValue('fieldName');
Jeff  2010-10-14 19:01:24

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases