PHPDeveloper.org: Chris Shiflett's Blog: Allowing HTML and Preventing XSS

	News Feed
	Jobs Feed

Sections

Tutorials

Books

Events

Talks

Jobs

Recent Jobs

Dave Marshall's Blog: Competition: PHP Job Hunters Handbook up for grabs

Job Posting: LIVESTRONG.com/Demand Media Inc. Seeks Senior PHP Software Developer (Santa Monica, CA)

Job Posting: Children's Hospital Boston Seeks Open Source Web Developer (Boston, MA)

Job Posting: eReleases Seeks Zend/PHP Developer (Baltimore, MD)

Job Posting: Chegg Seeks Senior PHP Developer (Santa Clara, CA)

Job Posting: TEKSystems (Recruiter) Seeks PHP Web Application Developers (Tampa, FL)

Job Posting: Quinstreet, Inc. Seeks Sr. PHP Developer (Foster City, CA)

Job Posting: WideEye Interactive/Moroch Advertising Seeks Web Developer (Dallas, TX)

Job Posting: Project People Ltd (Recruiter) Seeks PHP Developer (Paris, France)

Job Posting: Snelling (Recruiter) Seeks Web Programmer (Boston, MA)

News Archive

Site News: Blast from the Past - One Year Ago in PHP

Community News: phpGG Frontend Special

devReview.com: The Big List of PHP Frameworks

Kana Yeh's Blog: Review Ivo Jansch's Guide to Enterprise PHP development

Jani Hartikainen's Blog: Another idea for using models with forms

DevShed: PHP Programs to Prevent MySQL Injection or HTML Form Abuse

Misko Hevery's Blog: Guide: Writing Testable Code

Daniel Cousineau's Blog: Zend Framework Module Init Script (Controller Plugin)

Adobe Developer Connection: Integrated PHP and Flex Development with Zend Studio and Flex Builder

PHPFreaks.com: Protecting php applications with PHPIDS

Chris Shiflett's Blog:
Allowing HTML and Preventing XSS

by Chris Cornutt March 16, 2007 @ 09:23:00

In this new post to his blog, Chris Shiflett helps to solve one of the problems that several web designers face when allowing user input but wanting to protect themselves as well - allowing HTML while preventing a user from including a cross-site scripting issue.

This problem comes up more and more often due to the rise of social networking and other Web 2.0 properties that embolden users. [...] Of course, BBCode inevitably comes up during these types of discussions, but I really hate the idea of using yet another markup language just because I'm too lazy to deal with HTML, especially if the markup language doesn't even try to be user-friendly.

He looks for a good solution, one that doesn't require learning a new markup or becoming overly complex (while avoiding strip_tags). He provides several chunks of code for different aspects of the method - first make the content safe, then move backwards in the translation for the items you want to allow.

0 comments voice your opinion now!
allow html prevent crosssitescript secure user content input allow html prevent crosssitescript secure user content input

Similar Posts

Bjarte Karlsen's Blog: Sorting with uasort

ThinkPHP Blog: SQL injections for dummies - and how to fix them

Boston PHP User Group: February 2006 Meeting - 7th @ 6:30pm

Felix Geisendorfer's Blog: How-to: Use Html 4.01 in CakePHP 1.2

Ed Finkler's Blog: PHPSecInfo v0.2.1 now available

Community Events

Don't see your event here?
Let us know!

All content copyright, 2009 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework