SitePoint Sponsor

User Tag List

Results 1 to 2 of 2
  1. #1
    SitePoint Guru
    Join Date
    Nov 2004
    Location
    Plano
    Posts
    643
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    where should i filter my HTML output?

    i'm wanting to prevent XSS attacks or similar, so I've been meaning to put in a filter somewhere but I haven't been able to figure out exactly how to implement it.

    Basically, I have a Template class which does most of the presentation handling. This is where I initially felt I should filter all my HTML (i.e. htmlspecchars() ), but then quickly discarded that idea because this template class isn't just for HTML templates, but also email, and others (in the future...such as AJAX, SMS, and/or RSS), so i realized that just one universal filter for all of these wouldn't be sufficient.

    would this be a candidate for an InterceptFilter? I don't have Filters yet in my application as I haven't found enough use for them, nor have i got a great grasp of even how to use them. So, if someone thinks this is the way, would you mind explaining using generic classes: how should i implement something like this between my PageController's and my Template's?

    I can provide a brief overview of the OOP in my app, if that'll help. Basically, I only use a few patterns such as PageController, Observer, and Template, but to my knowledge, I don't use any others.

    thanks

  2. #2
    SitePoint Wizard silver trophy kyberfabrikken's Avatar
    Join Date
    Jun 2004
    Location
    Copenhagen, Denmark
    Posts
    6,157
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by XtrEM3 View Post
    Basically, I have a Template class which does most of the presentation handling. This is where I initially felt I should filter all my HTML (i.e. htmlspecchars() ), but then quickly discarded that idea because this template class isn't just for HTML templates, but also email, and others (in the future...such as AJAX, SMS, and/or RSS), so i realized that just one universal filter for all of these wouldn't be sufficient.
    Your initial instincts are spot on. You should definitely let the presentation layer (Your template engine) escape HTML entities. What you'd want to do, is to make your template engine aware of the content-type of the template. That way, you only have to switch one property, to change the escape mechanism. XSS attacks target the specific output format, so you would have to escape strings differently if the output format isn't HTML.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •