SafeHTML – cleaning form input
Reading a couple of web-related security books at the moment.
One is Apache Security, by Ivan Ristic (mod_security), who I got to meet again last weekend. Will save a long review for another time (I’m not finished reading yet), suffice to say this is a must read if you’re doing anything around Apache. Particularily PHP developers, who tend to see just their small part of the stack (“Apache is the hosts problem right?”).
Another is PHP-Sicherheit, a German publication, one of the authors being Christopher Kunz, who was at the conference, talking about Hardened PHP.
Also can’t say much about PHP-Sicherheit yet, other than I like what I’ve seen so far. What got me typing though was it’s mention of SafeHTML – an “anti-XSS HTML parser, written in PHP”, by Roman Ivanov, which I hadn’t seen before. In an odd way it’s kind of a product of Sitepointforums, given that it uses XML_HTMLSax, which basically got developed in this thread.
It also looks like it’s being smart about UTF-7 – haven’t examined that closely yet. Another good sign (odd as it may seem) is the “bug reports“, which have also been fixed.
Still not entirely convinced though – one thing that puzzles me is it’s taking all the decisions about what HTML get’s stripped for you. Will it cope with a table tag with a large width, that effectively breaks a design, for example (OK – that’s not XSS but…)? Still investigating… Would also be good to see this hosted somewhere like Berlios or Sourceforge.
Otherwise – side note (perhaps to Roman) – Jeff has since improved performance (over HTMLSax) with a new design, found here.