Ferenc Kovacs wrote:
> My whole point here is identifying WHAT needs 'escaping'. You can't simply > 'escape' the output stream, you still want html tags to get out?This problem is specific to YOU, because (as far as I understood your previous post) you decided to store big chunks of HTML in your data store. It is not a problem with this proposal, or a problem in general. more specifically: accepting HTML, but trying to allow some of the tags but still filtering most of it. HTMLPurifier is the tool for this kind of job, but most people would recommend using some kind of alternative markup format, like BBCode <http://en.wikipedia.org/wiki/BBCode>.
Which is another possible solution to the overall problem. Filter the incoming data in a different way :) I'm more than happy with my OWN methods of handling this problem, I was just point out that a LOT of people find ckeditor or one of the html in-line editors and think that is a good way to go ... that was how I started several years ago ... so I'm just putting my hand up and saying that simply creating an 'anti-XSS escaping class' may not work for some people. It is the whole package that is important.
( That is another tack on this was well Paddy ) -- Lester Caine - G8HFL ----------------------------- Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
