Reputation: 7982
Does I need to use HTML Purifier If I'm stripping tags/converting them to HTML entities?
I'm current working on a project where data is read from a textarea and fed to a mysql database. My question is do I really need to use html purifier to prevent mysql injections or whatever attacks if I'm already stripping html tags or converting them to entities?
Upvotes: 1
Views: 463
Answers (2)
Reputation:
To protect against mysql injections you should use prepared statements.
For other attacks, well for XSS you need to do proper output escaping. That is a bit more of a piece of cake. Matt Robinson wrote a good introduction to the concept. Pádraic Brady points out that it isn't as simple as that and eventually proposes to use a wrapper around htmlspecialchars like Twig do. Zend also has an escaping library and they are both inspired on the reference code from ESAPI which unfortunately does not have a production ready version for php.
Note that all libraries let the comma pass through in javascript context which I think is a vulnerability.
If you don't want to accept html input and you are OK with just stripping out the html tags, you don't need to use an html purifier.
Upvotes: 2
Related Questions
- When to use Strip_tags and when to use htmlspecialchars()
- HTML Purifier - what to purify?
- HTML Purifier - Escape disallowed tags instead of stripping
- Using HTML Purifier on a site with only plain text input
- Should all output be purified in PHP?
- Should I use strip_tags() before HTML Purifier?
- Strip Tags, remove other characters and mysql_real_escape_string is it enough?
- How do I integrate HTML Purifier to filter user-submitted data?
- mysql prepared statements & html purifier couple concept
- HTML Purifier Coding Help?