Comments on: SafeHTML - cleaning form input

By: psojiakmht

psojiakmht — Tue, 23 Jan 2007 17:47:07 +0000

By: SitePoint Blogs » Tim’s comment challenge…

SitePoint Blogs » Tim’s comment challenge… — Mon, 22 May 2006 15:32:00 +0000

[…] For comment markup, what to we want to point Tim at? As mentioned before, SafeHTML (packaged under PEAR as HTML_Safe) would allow posting raw HTML, perhaps with help from tidy to make sure it’s XHTML. There is PHP Markdown (don’t know much about this e.g. security record / UTF-8 handling) for a fairly standard markup. Alternatively Dokuwiki’s parser could be extracted (with a little hacking)—shouldn’t harm UTF-8 and shouldn’t result is broken XHTML. What else? […]

By: mwmitchell

mwmitchell — Fri, 24 Feb 2006 03:09:05 +0000

Whipped up a little template class based on your idea Harry, of using short tags with htmlentities: http://www.sitepoint.com/forums/showpost.php?p=2529188&postcount=53

- matt

By: Roman Ivanov

Roman Ivanov — Tue, 21 Feb 2006 07:57:05 +0000

Helgi Þormar: HTML_Safe is most recent version, such as SafeHTML.

I update both packages simultaneously.

By: Sandbox B3ta » Cleaning up the Input

Sandbox B3ta » Cleaning up the Input — Tue, 21 Feb 2006 03:45:07 +0000

[…] Harry Fuecks blogs about cleaning up form input which is something I need to look into. One of the comments points to PHP Input Filter which looks like it does things the simple way, i.e. I may be able to use it . . . February 21st 2006 Posted to Code […]

By: worchyld

worchyld — Mon, 20 Feb 2006 17:44:11 +0000

What about Input Filter on http://cyberai.com/inputfilter/

By: HarryF

HarryF — Sun, 19 Feb 2006 15:25:01 +0000

KSES I had heard of - never looked at it too deeply but, from, seems to be a serious attempt.

OK - when I get some time will do a comparison.

By: Matt Mullenweg

Matt Mullenweg — Sat, 18 Feb 2006 22:44:01 +0000

How does this compare to something like KSES?

http://sourceforge.net/projects/kses

By: HarryF

HarryF — Sat, 18 Feb 2006 21:35:21 +0000

I guess this needs link to as well: http://blog.bitflux.ch/wiki/XSS_Prevention

By: HarryF

HarryF — Sat, 18 Feb 2006 21:33:27 +0000

safeHTML should pass all the XSS examples on http://ha.ckers.org/xss.html

Playing around with the demo, looks OK. Thanks for the link - that really needs turning into some unit tests, to run against these sort of projects.

http://hvge.sk/scripts/tagwall/ Not documented, but really worth a try. Works really good on some websites I know.

Like the first impressions there - nice code. Not sure it’s doing quite the same thing though - seems more focused on stripping particular HTML tags rather than XSS prevention. Will look further.