CODEWITHSUNDEEP
phphtmlxssvalidation
Sinan
Sinan

Reputation: 5980

PHP filter library or class

I need a filter function for a project I'm working on. I am thinking about using HTML purifier. However I concerned about it performance.

Does any of you guys used or using HTML purifier. Or do you suggest another library or class with similar functionality.

The most important issues are:

Upvotes: 2

Views: 2442

Answers (3)

webaholik
webaholik

Reputation: 1815

Regarding cross-site scripting (XSS) - Many frameworks help handle this in various ways. When rolling your own or if there's some XSS concern, we can leverage filter_input_array (available in PHP 5 >= 5.2.0, PHP 7.) I typically will add this snippet to my SessionController, because all calls go through there before any other controller interacts with the data. In this manner, all user input gets sanitized in 1 central location. If this is done at the beginning of a project or before your database is poisoned, you shouldn't have any issues at time of output...stops garbage in, garbage out.

/* Prevent XSS input */
$_GET   = filter_input_array(INPUT_GET, FILTER_SANITIZE_STRING);
$_POST  = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);
/* I prefer not to use $_REQUEST...but for those who do: */
$_REQUEST = (array)$_POST + (array)$_GET + (array)$_REQUEST;

http://php.net/manual/en/function.filter-input-array.php

Upvotes: 1

Chetan Patel
Chetan Patel

Reputation: 137

If you are looking for validation as well as filter options for variables then go with below library.

https://github.com/Wixel/GUMP

# Note that filters and validators are separate rule sets and method calls. There is a good reason for this.

require "gump.class.php";

$gump = new GUMP();

$_POST = $gump->sanitize($_POST); // You don't have to sanitize, but it's safest to do so.

$gump->validation_rules(array(
    'username'    => 'required|alpha_numeric|max_len,100|min_len,6',
    'password'    => 'required|max_len,100|min_len,6',
    'email'       => 'required|valid_email',
    'gender'      => 'required|exact_len,1|contains,m f',
    'credit_card' => 'required|valid_cc'
));

$gump->filter_rules(array(
    'username' => 'trim|sanitize_string',
    'password' => 'trim',
    'email'    => 'trim|sanitize_email',
    'gender'   => 'trim',
    'bio'      => 'noise_words'
));

$validated_data = $gump->run($_POST);

if($validated_data === false) {
    echo $gump->get_readable_errors(true);
} else {
    print_r($validated_data); // validation successful
}

Upvotes: 1

Pascal MARTIN
Pascal MARTIN

Reputation: 401182

If you want to :

  • Make sure only the HTML tags and attributes that you specified are allowed
  • And make sure you get some valid HTML as output,

Then I would say that HTMLPurifier is the right tool for the job.

I've used it a couple of times -- and I have never heard of another tool that would do that kind of stuff well.


As a sidenote about performances : you are validating/filtering the HTML when it is typed by the user, of course ?

I meant :

  • Some HTML is input by the user
  • You validate / filter / clean it with HTMLPurifier
  • And you store that clean HTML to the database

And you don't use HTMLPurifier each time some HTML data is output, do you ? That would be awful for performances ^^


Oh, also : did you try activating some cache for HTMLPurifier ?

See the Cache section, in the documentation.

Upvotes: 2

Related Questions