fortnox007 Posted December 28, 2010 Share Posted December 28, 2010 Hi all, someone gave me a tip to use html purifier instead of inventing fire all over again. So i thought i try out the library and it seems to work. But it worked so easy that i thought this can't be true. So since i am very inexperienced with it I would love to hear your tips and advice. If i have time and feel confident enough ill try to write a tutorial (with pictures so it can save new people time searching and prevent sneaky people inserting crap in our hard work. This is what i did: i downloaded the package and only kept the library. (since the manual says you only need that). So i just put it in a web folder next to my index.php Here is thescript I used: require_once '/library/HTMLPurifier.auto.php'; $purifier = new HTMLPurifier(); // i suppose this creates an instance of a class?? (i really suck in OOphp) $dirty_html = '<a href="javascript:alert(\'XSS\')";>hahahaha all your base are belong to us</a>'; $clean_html = $purifier->purify($dirty_html); echo 'some dirty crap here: '.$dirty_html.'<br />'; echo 'nice and clean: '.$clean_html; Any tips, advice, performance stuff, do's and do not's, anything is welcome. For instance i am not sure if its good to have it in a webfolder. Thanks guys! Quote Link to comment https://forums.phpfreaks.com/topic/222832-is-this-really-this-simple-html-purifier/ Share on other sites More sharing options...
PFMaBiSmAd Posted December 28, 2010 Share Posted December 28, 2010 Yes, that's how you would use a method of a class. If the code is completely secure, would require seeing the code in the class. I have seen login code, email form validation code, ... that claims to be the ultimate 'secure' code and someone went to a lot of work to produce a lot of lines of code in it, but the code contains either intentional or accidental holes in it (makes me think that some of the free code that obviously took a lot of effort to write was actually written and posted by hackers.) Quote Link to comment https://forums.phpfreaks.com/topic/222832-is-this-really-this-simple-html-purifier/#findComment-1152225 Share on other sites More sharing options...
fortnox007 Posted December 28, 2010 Author Share Posted December 28, 2010 Thanks for your swift reply PFMaBiSmAd, Just in case it was not clear for anyone i was mentioning this library: http://htmlpurifier.org/ And indeed you're right that the creators could indeed made backdoors. That's why I rather learn how to strip the text myself instead of just dumb installing, but the original thread I posted on how to make safe bbcode myself ended up being dead and I found it rude to bump it again. Quote Link to comment https://forums.phpfreaks.com/topic/222832-is-this-really-this-simple-html-purifier/#findComment-1152228 Share on other sites More sharing options...
lastkarrde Posted December 28, 2010 Share Posted December 28, 2010 And indeed you're right that the creators could indeed made backdoors. That's why I rather learn how to strip the text myself instead of just dumb installing I highly doubt the creators made a back door. It is open source code and is used/trusted by many PHP frameworks such as Kohana. The risk that you miss cleaning/filtering something in your own code far outweighs the risk/possibility that HTMLPurifier has a backdoor. Quote Link to comment https://forums.phpfreaks.com/topic/222832-is-this-really-this-simple-html-purifier/#findComment-1152308 Share on other sites More sharing options...
fortnox007 Posted December 29, 2010 Author Share Posted December 29, 2010 Thanks lastkarrde, I think you are right and it would be pretty weird to doubt the integrity of such a library which is highly adopted by so many cms-frameworks. But yeah anything is possible. And it is certainly is wise to respect the number 1security rule 'trust no one'. Assuming this library is made by talented people which are not evil, I would like to continue this thread with tips and tricks of users that have more experience with it than I have. In the end it would be nice to bundle it in a bite size tutorial useful document for all the phpfreaks members. Since security is something we all have to deal with and this library seems to be pretty usefull. Quote Link to comment https://forums.phpfreaks.com/topic/222832-is-this-really-this-simple-html-purifier/#findComment-1152385 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.